Project

General

Profile

Actions
Copy link

Feature #3663

closed

DNS: Parse and extract DNS NULL records

Added by Konstantin Klinger over 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Effort:
Difficulty:
Label:
Protocol

Description

At the moment the DNS parser gives you "NULL" as rrtype, but the related metadata of those NULL records/DNS packets is missing. In the attached eve.json you can find the current output.

I would expect something like this (equivalent to the content from packet 18 in Wireshark output):
Null (data): 42617365313238

This is related to Feature #2970

Files

Download all files
dns-tunnel-iodine.pcap (75.7 KB) dns-tunnel-iodine.pcap Konstantin Klinger, 04/23/2020 07:13 AM
eve.json (388 KB) eve.json Konstantin Klinger, 04/23/2020 07:13 AM
Actions
Copy link
 #1

Updated by Victor Julien over 4 years ago

  • Assignee set to Community Ticket
  • Target version set to TBD

@Simon Dugas are you interested in this one?

Actions
Copy link
 #2

Updated by Simon Dugas over 4 years ago

Victor Julien wrote in #note-1:

@Simon Dugas are you interested in this one?

Yes I can look into it. I should have something ready and dependent on https://redmine.openinfosecfoundation.org/issues/2970.

Actions
Copy link
 #3

Updated by Sascha Steinbiss about 4 years ago

Just FYI, I have also started working on this and have also added possibly interesting RR types such as SRV and NS.
NULL and NS are straightforward as they are simple buffers or domain names, but SRV needed another structured sub-object. Please see https://github.com/OISF/suricata/commit/e449676eee1f120f527222253e4efe939330b98e for a first shot. Happy to prepare a PR.

Actions
Copy link
 #5

Updated by Philippe Antoine over 3 years ago

  • Status changed from New to Closed
Actions
Copy link

Also available in: Atom PDF