Bug #6281
closeddns: structure of query differs between "alert" and "dns" event types
Description
In DNS query records, the dns object is a flat object representing the request. Even though a DNS request could contain multiple queries this is not seen in practice, which is probably the reason for the easier-to-use flat object.
Note: DNS responses do place all the responses in an answers array as multiple answers to a single query are normal.
In alerts for DNS, the query is (more correctly) placed in a query array.
For example, a DNS event request:
"dns": {
"type": "query",
"id": 55380,
"rrname": "google.de",
"rrtype": "AAAA",
"tx_id": 0,
"opcode": 0
}
The DNS metadata in an alert:
"dns": {
"query": [
{
"type": "query",
"id": 55380,
"rrname": "google.de",
"rrtype": "AAAA",
"tx_id": 0,
"opcode": 0
}
]
},
And a DNS record for an answer:
dns: {
answers: [
{
rdata: "35.212.0.44",
rrname: "suricata.io",
rrtype: "A",
ttl: 600
}
],
The question is how to resolve this going further. The DNS record type for requests looks clearly wrong, but I think there was some conscious decision to do that for the sake SIEMs, and changing that would probably break reports and other post-processing of the data.