Feature #6621
openTask #4772: tracking: parity between fields logged and fields available for detection
Feature #5642: DNS: parity between log fields and detection
dns: add keyword for dns rcode: dns.rcode
Description
DNS records log the rcode, but it is not available for detection. For example:
{
"@timestamp": "2023-12-11T17:31:16.621Z",
"community_id": "1:wQg9tR3nlxBAH4VrGg6YGsAa6AA=",
"dest_ip": "10.16.1.1",
"dest_port": 53,
"dns": {
"answers": [
{
"rdata": "l-0007.l-msedge.net",
"rrname": "config-edge-skype.l-0007.l-msedge.net",
"rrtype": "CNAME",
"ttl": 152
}
],
"flags": "8180",
"id": 49242,
"opcode": 0,
"qr": true,
"ra": true,
"rcode": "NOERROR",
"rd": true,
"rrname": "config.edge.skype.com",
"rrtype": "HTTPS",
"type": "answer",
"version": 2
},
"event_type": "dns",
}
The dns.opcode keyword should be a good starter for the rcode as both are present in the header as integers. Even though we long to string representation of the rcode, the keyword should probably first start by accepting the integer value, then maybe we could add string representations after.
Updated by Hadiqa Alamdar Bukhari 11 months ago
- Target version changed from TBD to 8.0.0-beta1
Updated by Juliana Fajardini Reichow 10 months ago
Hadiqa Alamdar Bukhari wrote in #note-2:
Can this keyword be negated?
Answered here: https://github.com/OISF/suricata/pull/10087#discussion_r1435191583
Updated by Juliana Fajardini Reichow 10 months ago
First PR version: https://github.com/OISF/suricata/pull/10087
Updated by Hadiqa Alamdar Bukhari 10 months ago
- Status changed from New to In Progress
Updated by Jason Taylor 10 months ago
Thanks for working on this Hadiqa! We (ET team) were wondering if it would be possible to add comparison functionality (e.g. <, >, <>) similar to urilen?
One thing that came up also was if it would be possible to allow an array of values [0, 11, 23], for example?
Updated by Philippe Antoine 10 months ago
- Blocked by Bug #6281: dns: structure of query differs between "alert" and "dns" event types added
Updated by Philippe Antoine 10 months ago
@Jason Taylor array of values are not supported for integers yet... :-/
Updated by Jason Taylor 10 months ago
Philippe Antoine wrote in #note-8:
@Jason Taylor array of values are not supported for integers yet... :-/
Ah okay. Would the comparison options be possible?
Updated by Philippe Antoine 10 months ago
- Status changed from In Progress to In Review
Updated by Juliana Fajardini Reichow 10 months ago
Jason Taylor wrote in #note-9:
Philippe Antoine wrote in #note-8:
@Jason Taylor array of values are not supported for integers yet... :-/
Ah okay. Would the comparison options be possible?
The comparison options, yes :)
Updated by Juliana Fajardini Reichow 8 months ago
- Status changed from In Review to Resolved