How to use Suricata (offline analysis, PCAP) as Passive DNS records producer
wget https://github.com/srameko/Suricata-Passive-DNS/archive/master.zip
cd /Suricata-Passive-DNS/
cp pdns.yaml /etc/suricata/
mkdir /etc/suricata/scripts
cp pdns.lua /etc/suricata/scripts/Suricata 3.2.4@CentOS 7.4.1708 (rpm package)
Don't forget to test your pdns config file suricata -c <path-to-pdns.yaml> -T
Default log path is /var/log/suricata/pdns.log
Passive DNS log format: TIMESTAMP TYPE RRNAME ADDR
Thanks to Jason Ish and his Suricata Verification Tests Project (Lua Output DNS) which I used to edit and create this Project.