https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022014-06-03T08:44:21ZOpen Information Security FoundationSuricata - Feature #1198: more compact dns logginghttps://redmine.openinfosecfoundation.org/issues/1198?journal_id=43322014-06-03T08:44:21ZVictor Julienvictor@inliniac.net
<ul><li><strong>Subject</strong> changed from <i>more conpact dns logging</i> to <i>more compact dns logging</i></li></ul> Suricata - Feature #1198: more compact dns logginghttps://redmine.openinfosecfoundation.org/issues/1198?journal_id=43332014-06-03T08:45:13ZVictor Julienvictor@inliniac.net
<ul></ul><p>I think it would be nice to be able to enable/disable logging of record types, so e.g. A records, but not SOA, etc.</p> Suricata - Feature #1198: more compact dns logginghttps://redmine.openinfosecfoundation.org/issues/1198?journal_id=43342014-06-03T11:12:09ZPeter Manevpetermanev@gmail.com
<ul></ul><p>Also to consider - <br />1)<br /> an option to log only req or responces<br />2)<br /> an option to do logs only triggered by dns rules</p> Suricata - Feature #1198: more compact dns logginghttps://redmine.openinfosecfoundation.org/issues/1198?journal_id=44262014-07-02T03:24:25ZGiacomo Milanigiacomo83m@gmail.com
<ul></ul><p>What about:
<p>- dns-log:<br /> enabled: yes<br /> filename: dns.log<br /> append: yes
# supported rtypes: ["A","NS","AAAA","CNAME","SOA","MX","PTR","ANY","TKEY","TSIG"]<br /> ignore-rtypes: ["SOA"] <br /> log-request: yes<br /> log-response: yes<br /> only-alarmed: no</p>
</p>
<p>Log-request/log-response/only-alarmed Conf Bool should be quite easy to implement with an if statement in LogDnsLogger function.<br />To handle ignore-rtypes (event->types is a 16bit field) i think is better to create a bitarray to filter out ignored types, it will use 8kbyte of memory but the code will be faster and cleaner that create an if clause for each record types.</p> Suricata - Feature #1198: more compact dns logginghttps://redmine.openinfosecfoundation.org/issues/1198?journal_id=44272014-07-02T05:44:04ZPeter Manevpetermanev@gmail.com
<ul></ul><p>I like very much that idea - modular and flexible.</p> Suricata - Feature #1198: more compact dns logginghttps://redmine.openinfosecfoundation.org/issues/1198?journal_id=44372014-07-09T12:25:22ZAndreas Moemoe.andreas@gmail.com
<ul></ul><p>While on the subject on output from Suricata, could this case be linked to Feature <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Uniformed use of logging and configuration formats (Closed)" href="https://redmine.openinfosecfoundation.org/issues/1235">#1235</a>? Output of "alerts and results" has been slowly merging to the JSON format, the possibility to process DNS logs in another applications would go alot better with JSON than todays formatting?</p> Suricata - Feature #1198: more compact dns logginghttps://redmine.openinfosecfoundation.org/issues/1198?journal_id=44452014-07-11T01:22:03ZPeter Manevpetermanev@gmail.com
<ul></ul><p>Yes, in general.<br />This ticket however discusses the specifics of this DNS logging (what and how much of, type of thing)- so it is a different subject.</p>
<p>And yes - I think that it is very beneficial for that DNS logging being discussed here on this ticket (more compact logging) to be available in JSON format.</p> Suricata - Feature #1198: more compact dns logginghttps://redmine.openinfosecfoundation.org/issues/1198?journal_id=59862016-01-01T18:07:36ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>OISF Dev</i></li><li><strong>Target version</strong> set to <i>TBD</i></li></ul> Suricata - Feature #1198: more compact dns logginghttps://redmine.openinfosecfoundation.org/issues/1198?journal_id=72442016-08-29T16:16:07ZVictor Julienvictor@inliniac.net
<ul></ul><p>Tom Decanio has implemented DNS output filtering by type: <a class="external" href="https://github.com/inliniac/suricata/pull/2185">https://github.com/inliniac/suricata/pull/2185</a></p> Suricata - Feature #1198: more compact dns logginghttps://redmine.openinfosecfoundation.org/issues/1198?journal_id=89052017-11-28T09:00:16ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Giuseppe Longo</i></li><li><strong>Target version</strong> changed from <i>TBD</i> to <i>70</i></li></ul> Suricata - Feature #1198: more compact dns logginghttps://redmine.openinfosecfoundation.org/issues/1198?journal_id=99032018-07-09T17:38:09ZJason Ishjason.ish@oisf.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/2086">Feature #2086</a>: DNS answer for a NS containing multiple name servers should only be one line</i> added</li></ul> Suricata - Feature #1198: more compact dns logginghttps://redmine.openinfosecfoundation.org/issues/1198?journal_id=99052018-07-09T17:42:42ZJason Ishjason.ish@oisf.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li><li><strong>Target version</strong> changed from <i>70</i> to <i>4.1beta1</i></li></ul><p>See <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: DNS answer events compacted (Closed)" href="https://redmine.openinfosecfoundation.org/issues/2199">#2199</a>.</p>