Feature #2970: DNS: Parse and extract SOA app layer data from DNS packets - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #2970

closed

DNS: Parse and extract SOA app layer data from DNS packets

Added by Konstantin Klinger over 5 years ago. Updated about 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Simon Dugas

Target version:

6.0.0rc1

Effort:

Difficulty:

Label:

Protocol

Description

At the moment the DNS parser gives you "SOA" as rrtype, but the related metadata of those SOA records/DNS packets are missing. In the attached pcap you can find the current output.

I would expect something like this (equivalent to the content in Wireshark output):
Answers
suricon.net: type SOA, class IN, mname ns1.siteground199.com
Name: suricon.net
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
Time to live: 21599
Data length: 50
Primary name server: ns1.siteground199.com
Responsible authority's mailbox: root.siteground199.com
Serial Number: 2018092604
Refresh Interval: 86400 (1 day)
Retry Interval: 7200 (2 hours)
Expire limit: 3600000 (41 days, 16 hours)
Minimum TTL: 86400 (1 day)

Files

Download all files

soa_record_eve.json (5.54 KB) soa_record_eve.json	eve json output for processing the pcap	Konstantin Klinger, 05/07/2019 11:27 AM
soa_record.pcap (719 Bytes) soa_record.pcap	pcap with three SOA record queries and answers	Konstantin Klinger, 05/07/2019 11:27 AM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #2970

DNS: Parse and extract SOA app layer data from DNS packets

Updated by Andreas Herz over 5 years ago

Updated by Victor Julien almost 5 years ago

Updated by Simon Dugas over 4 years ago

Updated by Victor Julien over 4 years ago

Updated by Victor Julien about 4 years ago

Updated by Victor Julien about 4 years ago