Suricata

A PCAP will be required to investigate further. It looks like this rule could easily alert on data that is not DNS, in which case there wouldn't be any DNS information to log.

Hello,
Another message without any elements given in the alert file :
ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
and no information in the eve alert file.

Regards
JP P

A lot of the signatures mentioned here require a threshold.

however ET POLICY Credit Card Number Detected in Clear (16 digit spaced) AKA 2001375 does not so I thought that might be a good candidate to test with.

I was unable to replicate this issue. I tested with 6.0.0, 6.0.16, 7.0.0 and 7.0.4

7.0.4 alert output of the attached pcap
https://gist.github.com/zoomequipd/f6251494737b74dcbbf9f6ac8c9bed05

All of them appeared to have accurate information within the alert event type in the eve json.

@JP Pozzi would you be able to provide information to replicate your issue? A pcap, the suricata.yaml and the command line you are using to start suricata would be a good start.

Are you able to provide what exact version of 6.x you reference here

It was OK in the previous versions (6). One other rule does not display usable information

Hello,

About the DNS "problem" the information of the "offender" is present in
the server response, I try to follow the network activity on UDP/53 with
wireshark and I get the following data (csv format from wireshark) :
127 24.191888682 127.0.0.1 127.0.0.1 DNS 131 Standard query response 0x1871 No such name A xxxtf1.fr SOA a.nic.fr
The "offender" xxxtf1.fr is visible but is not present in the json file.

Remark : it seems OK in the dev version 8.

Regards

JP P