Project

General

Profile

Actions

Bug #1379

closed

EVE json missing CNAME rdata

Added by jason jones over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using suricata 2.0.6, dns output for CNAME entries appear to be missing rdata in the EVE json log. I have verified that this is in the raw dns.log.

Example below of CNAME responses for the same hostname with the missing data:

DNS Log:

<Redacted> [**] Response TX <redacted> [**] init-p01st.push.apple.com [**] CNAME [**] TTL 32 [**] init-p01st.push.apple.com.edgesuite.net [**] <redacted>

EVE Json:

{"timestamp":"<redacted>","event_type":"dns","src_ip":"<redacted>","src_port":53,"dest_ip":"<redacted>","dest_port":<redacted>,"proto":"UDP","dns":{"type":"answer","id":<redacted>,"rrname":"init-p01st.push.apple.com","rrtype":"CNAME","ttl":13}}

Actions #1

Updated by David Cannings over 9 years ago

  • Status changed from New to Resolved
  • Assignee set to David Cannings
  • Target version set to 3.0RC1
  • % Done changed from 0 to 100

This should have been fixed in PR #1425 (https://github.com/inliniac/suricata/pull/1425). Changes are in 2.1beta4.

Actions #2

Updated by Victor Julien over 9 years ago

  • Status changed from Resolved to Closed
  • Target version changed from 3.0RC1 to 2.1beta4
Actions

Also available in: Atom PDF