https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022015-05-21T05:02:07ZOpen Information Security FoundationSuricata - Feature #1265: Replace response on Suricata dns decoder when dns error pleasehttps://redmine.openinfosecfoundation.org/issues/1265?journal_id=52652015-05-21T05:02:07ZDavid Canningsdavid@edeca.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Resolved</i></li><li><strong>Target version</strong> set to <i>3.0RC1</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>This was fixed in the following PR: <a class="external" href="https://github.com/inliniac/suricata/pull/1425">https://github.com/inliniac/suricata/pull/1425</a> which is included in 2.1beta4.</p>
<p>Using your test pcap I see:</p>
<pre>
08/19/2014-16:27:37.939800 [**] Query TX 0000 [**] test.com [**] A [**] 192.168.42.150:34092 -> 8.8.8.8:53
08/19/2014-16:27:37.939800 [**] Response TX 0000 [**] SERVFAIL [**] 8.8.8.8:53 -> 192.168.42.150:34092
08/19/2014-16:27:37.939800 [**] Response TX 0000 [**] SERVFAIL [**] 8.8.8.8:53 -> 192.168.42.150:34092
</pre>
<p>And in EVE:</p>
<pre>
{"timestamp":"2014-08-19T16:27:37.939800+0100","flow_id":21513872,"pcap_cnt":1,"event_type":"dns","src_ip":"192.168.42.150","src_port":34092,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":0,"rrname":"test.com","rrtype":"A","tx_id":0}}
{"timestamp":"2014-08-19T16:27:37.939800+0100","flow_id":21513872,"pcap_cnt":1,"event_type":"dns","src_ip":"192.168.42.150","src_port":34092,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"answer","id":0,"rcode":"SERVFAIL","rrname":"test.com"}}
</pre> Suricata - Feature #1265: Replace response on Suricata dns decoder when dns error pleasehttps://redmine.openinfosecfoundation.org/issues/1265?journal_id=52662015-05-21T05:02:14ZDavid Canningsdavid@edeca.net
<ul><li><strong>Assignee</strong> set to <i>David Cannings</i></li></ul> Suricata - Feature #1265: Replace response on Suricata dns decoder when dns error pleasehttps://redmine.openinfosecfoundation.org/issues/1265?journal_id=53142015-06-17T04:02:39ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Resolved</i> to <i>Closed</i></li></ul>