Project

General

Profile

Actions

Optimization #2272

closed

Analyze DNS response if query is not present

Added by Chris Knott almost 7 years ago. Updated 5 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

A DNS event should be logged in the eve.json file if the DNS response is available in the packet stream only (meaning that the DNS query to the response is missing). At the moment DNS queries are always generating a DNS event entry. DNS responses are only generating an entry if the appropriate DNS query is present in the packet stream. This behavior is the same in the C and in the RUST implementation of the DNS plugin.
The test PCAP attached:
dns.pcap: 2 packets, a DNS query and the corresponding response; generating 2 DNS event entires in the eve.json file
dnsquery.pcap: Only the query contained in dns.pcap; generating 1 DNS even entry in the eve.json file
dnsresponse.pcap: Only the response contained in dns.pcap; generating 0 DNS event entries in the eve.json file (should generate 1 entry)


Files

dns.pcap (208 Bytes) dns.pcap Chris Knott, 11/16/2017 03:47 PM
dnsquery.pcap (108 Bytes) dnsquery.pcap Chris Knott, 11/16/2017 03:47 PM
dnsresponse.pcap (124 Bytes) dnsresponse.pcap Chris Knott, 11/16/2017 03:47 PM

Related issues 7 (4 open3 closed)

Related to Suricata - Task #2309: SuriCon 2017 brainstormAssignedVictor JulienActions
Related to Suricata - Task #2278: tracking: failing betterNewOISF DevActions
Related to Suricata - Bug #2146: DNS answer not logged with eve-logClosedJason IshActions
Related to Suricata - Task #3288: Suricon 2019 brainstormAssignedVictor JulienActions
Related to Suricata - Bug #4135: dns: response only udp not detected as dnsAssignedJason IshActions
Related to Suricata - Feature #6497: dns: new detection buffer: dns.query.nameClosedJason IshActions
Blocked by Suricata - Feature #2572: extend protocol detection to specify flow directionClosedVictor JulienActions
Actions

Also available in: Atom PDF