Project

General

Profile

Actions
Copy link

Bug #2012

closed

dns.log does not log unanswered queries

Added by Michael Stone almost 8 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
3.2.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

With a minimal suricata.yaml file:

%YAML 1.1
---
default-log-dir: .
outputs:
  - eve-log:
      enabled: yes
      type: file
      filename: dns.json
      types:
        - dns
  - dns-log:
      enabled: yes
      filename: dns.log

the attached pcap will generate dns.json containing

{"timestamp":"2017-01-30T14:05:11.592025-0500","flow_id":1141428602734745,"pcap_cnt":9,"event_type":"dns","src_ip":"10.0.0.7","src_port":43212,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41884,"rrname":"www.google.com","rrtype":"A","tx_id":0}}
{"timestamp":"2017-01-30T14:04:17.295571-0500","flow_id":878117039211155,"pcap_cnt":1,"event_type":"dns","src_ip":"10.0.0.7","src_port":54399,"dest_ip":"8.8.8.7","dest_port":53,"proto":"UDP","dns":{"type":"query","id":766,"rrname":"www.google.com","rrtype":"A","tx_id":0}}
{"timestamp":"2017-01-30T14:04:34.511740-0500","flow_id":667466074345212,"pcap_cnt":4,"event_type":"dns","src_ip":"10.0.0.7","src_port":53500,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36059,"rrname":"www.google.com","rrtype":"A","tx_id":0}}
{"timestamp":"2017-01-30T14:05:11.607615-0500","flow_id":1141428602734745,"pcap_cnt":10,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.0.0.7","dest_port":43212,"proto":"UDP","dns":{"type":"answer","id":41884,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":202,"rdata":"172.217.1.196"}}
{"timestamp":"2017-01-30T14:04:34.525369-0500","flow_id":667466074345212,"pcap_cnt":5,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.0.0.7","dest_port":53500,"proto":"UDP","dns":{"type":"answer","id":36059,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":87,"rdata":"172.217.1.196"}}
{"timestamp":"2017-01-30T14:04:36.042150-0500","flow_id":2008599677412518,"pcap_cnt":6,"event_type":"dns","src_ip":"10.0.0.7","src_port":41743,"dest_ip":"8.8.8.7","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20578,"rrname":"www.google.com","rrtype":"A","tx_id":0}}

and dns.log containing:

01/30/2017-14:05:11.607615 [**] Query TX a39c [**] www.google.com [**] A [**] 10.0.0.7:43212 -> 8.8.8.8:53
01/30/2017-14:04:34.525369 [**] Query TX 8cdb [**] www.google.com [**] A [**] 10.0.0.7:53500 -> 8.8.8.8:53
01/30/2017-14:04:34.525369 [**] Response TX 8cdb [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:53500
01/30/2017-14:05:11.607615 [**] Response TX a39c [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:43212
01/30/2017-14:04:34.525369 [**] Response TX 8cdb [**] www.google.com [**] A [**] TTL 87 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:53500
01/30/2017-14:05:11.607615 [**] Response TX a39c [**] www.google.com [**] A [**] TTL 202 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:43212

Note that the queries to IP 8.8.8.7 do not appear in dns.log but do appear in dns.json. Ideally dns.log would also include those queries.

Files

dnslookups2.pcap (1.04 KB) dnslookups2.pcap Michael Stone, 01/30/2017 01:53 PM
Actions
Copy link

Also available in: Atom PDF