Actions
Feature #4751
closeddns/eve: add 'HTTPS' type logging
Effort:
Difficulty:
Label:
Beginner, Needs backport to 6.0, Rust
Description
{"timestamp":"2021-10-12T10:17:37.702061+0200","flow_id":865976079988333,"pcap_cnt":1,"event_type":"dns","src_ip":"192.168.0.47","src_port":61954,"dest_ip":"192.168.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4220,"rrname":"46-105-202-126.any.cdn.anycast.me","rrtype":"65","tx_id":0}}
rrtype: 65 instead of HTTPS
Files
Updated by Victor Julien about 3 years ago
- Subject changed from dns: add 'HTTPS' type logging to dns/eve: add 'HTTPS' type logging
- Label Beginner added
Updated by Haleema Khan about 2 years ago
After looking into the code specifically the DNS event type code parts and after reading all DNS record types, I have understood that it is returning rrtype:65 mainly because a DNS record type does not exist for the value: 65 so when matching the rrtype it never finds a match and the rrtype 65 gets returned as is after a toString() conversion.
If that's the case then first a DNS record type for this needs to be defined and then I can move forward with matching it in code.
Asking here just to make sure I am going in the right direction.
Updated by Haleema Khan about 2 years ago
- Status changed from New to In Review
PR for review https://github.com/OISF/suricata/pull/8011
Updated by Haleema Khan about 2 years ago
suricata-verify PR for review https://github.com/OISF/suricata-verify/pull/969
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Haleema Khan about 2 years ago
- Status changed from In Review to Closed
Actions