Feature #5642
openTask #4772: tracking: parity between fields logged and fields available for detection
DNS: parity between log fields and detection
Added by Jason Ish over 2 years ago. Updated 2 months ago.
Updated by Jason Ish over 2 years ago
- Related to Task #4772: tracking: parity between fields logged and fields available for detection added
Updated by Philippe Antoine over 1 year ago
- Related to Task #6443: Suricon 2023 brainstorm added
Updated by Juliana Fajardini Reichow about 1 year ago
- Assignee changed from OISF Dev to Hadiqa Alamdar Bukhari
- Target version changed from TBD to 8.0.0-beta1
Updated by Hadiqa Alamdar Bukhari about 1 year ago
- aa boolean field is missing in the answer array. It is present in dns object properties.
- tc boolean field is missing in the answer array.
- z boolean field is missing in the answer array. It is present for query array and dns object properties.
- I also don't see the sshfp field anywhere in the dns object while I do see the srv field in the answers array and soa field in the authorities array.
Updated by Hadiqa Alamdar Bukhari about 1 year ago
The fields which have been implemented include:
- dns.query
- dns.opcode
- dns.rcode : in progress
- dns.answer.name
- dns.query.name
Awaiting further instructions on which fields to implement first.
Updated by Jason Ish about 1 year ago
Hadiqa Alamdar Bukhari wrote in #note-7:
The fields which have been implemented include:
- dns.query
- dns.opcode
- dns.rcode : in progress
- dns.answer.name
- dns.query.name
Awaiting further instructions on which fields to implement first.
- rtype would be a good next one, it would be much like opcode or rcode
- then maybe "a" and "aaaa", which are more similar to dns.answer.name as they would be sticky buffers
- or some other protocol?
Updated by Hadiqa Alamdar Bukhari about 1 year ago
Jason Ish wrote in #note-8:
Hadiqa Alamdar Bukhari wrote in #note-7:
The fields which have been implemented include:
- dns.query
- dns.opcode
- dns.rcode : in progress
- dns.answer.name
- dns.query.name
Awaiting further instructions on which fields to implement first.- rtype would be a good next one, it would be much like opcode or rcode
- then maybe "a" and "aaaa", which are more similar to dns.answer.name as they would be sticky buffers
- or some other protocol?
Got it, thanks!
Updated by Hadiqa Alamdar Bukhari about 1 year ago
- Related to Feature #6666: dns: add keyword for dns rrtype: dns.rrtype added
Updated by Juliana Fajardini Reichow 11 months ago
- Assignee changed from Hadiqa Alamdar Bukhari to OISF Dev
Since we have subtickets that are directly assigned, I'll keep this parent ticket as assigned to OISF Dev, so we know that it is available for others to work on.
Updated by Victor Julien 8 months ago
- Assignee changed from OISF Dev to Jason Ish
Updated by Victor Julien 8 months ago
- Related to Feature #4153: app-layer: rust derive style macros to generate common code added
Updated by Jason Ish 8 months ago
- Related to Feature #2448: Add additional buffers for DNS Responses added
Updated by Victor Julien 8 months ago
- Blocks Story #6597: rules: improve rules keyword/output parity added
Updated by Philippe Antoine 25 days ago
- Related to Optimization #7529: detect/dns: move wrapper code from C to rust added