Project

General

Profile

Actions

Feature #2199

closed

DNS answer events compacted

Added by Giuseppe Longo over 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

If a dns response packet has many answer, each of it provides a line logged.
It would be good to provide a way to compact them, and having all the answers logged in one line
and let the user to choice if enable or disable this setting.

Eric and I have proposed and discussed with Jason Ish the following format:

{
  "dns": {
      "type": "answer",
      "id": 10451,
      "rcode": "NOERROR",
      "rrname": "time.windows.com",
      "ttl": 2755,
      "rrtype": [
        "A",
        "CNAME" 
      ],
      "rdata": {
        "A": [
          "207.46.197.32" 
        ],
        "CNAME": [
          "time.microsoft.akadns.net" 
        ]
      }
    }
}

But we found that is not correct, because information like ttl is lost,
and decided to follow the format below:

{
    "timestamp": "2017-04-20T21:15:58.732859+0000",
    "flow_id": 1507173365328989,
    "pcap_cnt": 2,
    "event_type": "dns",
    "src_ip": "10.16.1.1",
    "src_port": 53,
    "dest_ip": "10.16.1.11",
    "dest_port": 41805,
    "proto": "UDP",
    "dns": {
    "type": "answer",
    "id": 36146,
    "rcode": "NOERROR",
    "answers": [
        {
        "rrname": "www.suricata-ids.org",
        "rrtype": "CNAME",
        "ttl": 3544,
        "rdata": "suricata-ids.org" 
        },
        {
        "rrname": "suricata-ids.org",
        "rrtype": "A",
        "ttl": 244,
        "rdata": "192.0.78.24" 
        },
        {
        "rrname": "suricata-ids.org",
        "rrtype": "A",
        "ttl": 244,
        "rdata": "192.0.78.25" 
        }
    ],
    "metadata": {
        "A": [
        "192.168.0.78.24",
        "192.168.0.78.25" 
        ],
        "CNAME": [
        "suricata-ids.org" 
        ],
    }
    }
}

This option can be enabled or disabled in suricata.yaml,
under eve-log.types.dns section:

- dns:
    # control logging of queries and answers
    # default yes, no to disable
    query: yes     # enable logging of DNS queries
    answer: yes    # enable logging of DNS answers
    answer-compact: no # enable logging of DNS answers in one line


Related issues 1 (0 open1 closed)

Related to Suricata - Feature #2086: DNS answer for a NS containing multiple name servers should only be one lineClosedGiuseppe LongoActions
Actions

Also available in: Atom PDF