Actions
Bug #2012
closeddns.log does not log unanswered queries
Affected Versions:
Effort:
Difficulty:
Label:
Description
With a minimal suricata.yaml file:
%YAML 1.1 --- default-log-dir: . outputs: - eve-log: enabled: yes type: file filename: dns.json types: - dns - dns-log: enabled: yes filename: dns.log
the attached pcap will generate dns.json containing
{"timestamp":"2017-01-30T14:05:11.592025-0500","flow_id":1141428602734745,"pcap_cnt":9,"event_type":"dns","src_ip":"10.0.0.7","src_port":43212,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41884,"rrname":"www.google.com","rrtype":"A","tx_id":0}} {"timestamp":"2017-01-30T14:04:17.295571-0500","flow_id":878117039211155,"pcap_cnt":1,"event_type":"dns","src_ip":"10.0.0.7","src_port":54399,"dest_ip":"8.8.8.7","dest_port":53,"proto":"UDP","dns":{"type":"query","id":766,"rrname":"www.google.com","rrtype":"A","tx_id":0}} {"timestamp":"2017-01-30T14:04:34.511740-0500","flow_id":667466074345212,"pcap_cnt":4,"event_type":"dns","src_ip":"10.0.0.7","src_port":53500,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36059,"rrname":"www.google.com","rrtype":"A","tx_id":0}} {"timestamp":"2017-01-30T14:05:11.607615-0500","flow_id":1141428602734745,"pcap_cnt":10,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.0.0.7","dest_port":43212,"proto":"UDP","dns":{"type":"answer","id":41884,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":202,"rdata":"172.217.1.196"}} {"timestamp":"2017-01-30T14:04:34.525369-0500","flow_id":667466074345212,"pcap_cnt":5,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.0.0.7","dest_port":53500,"proto":"UDP","dns":{"type":"answer","id":36059,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":87,"rdata":"172.217.1.196"}} {"timestamp":"2017-01-30T14:04:36.042150-0500","flow_id":2008599677412518,"pcap_cnt":6,"event_type":"dns","src_ip":"10.0.0.7","src_port":41743,"dest_ip":"8.8.8.7","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20578,"rrname":"www.google.com","rrtype":"A","tx_id":0}}
and dns.log containing:
01/30/2017-14:05:11.607615 [**] Query TX a39c [**] www.google.com [**] A [**] 10.0.0.7:43212 -> 8.8.8.8:53 01/30/2017-14:04:34.525369 [**] Query TX 8cdb [**] www.google.com [**] A [**] 10.0.0.7:53500 -> 8.8.8.8:53 01/30/2017-14:04:34.525369 [**] Response TX 8cdb [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:53500 01/30/2017-14:05:11.607615 [**] Response TX a39c [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:43212 01/30/2017-14:04:34.525369 [**] Response TX 8cdb [**] www.google.com [**] A [**] TTL 87 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:53500 01/30/2017-14:05:11.607615 [**] Response TX a39c [**] www.google.com [**] A [**] TTL 202 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:43212
Note that the queries to IP 8.8.8.7 do not appear in dns.log but do appear in dns.json. Ideally dns.log would also include those queries.
Files
Updated by Victor Julien almost 8 years ago
- Description updated (diff)
- Status changed from New to Assigned
- Assignee set to Jason Ish
- Target version set to 70
Updated by Jason Ish almost 8 years ago
Michael Stone: Can I include this pcap in my public test suite on Github?
Updated by Jason Ish almost 8 years ago
Just a note on the fix here (https://github.com/inliniac/suricata/pull/2532):
You will not see all 3 requests to 8.8.8.7 as they are identical and the DNS parser has a duplicate checker, which is why they are not seen in the JSON log. Anyways, the new output is:
01/30/2017-19:04:17.295571 [**] Query TX 02fe [**] www.google.com [**] A [**] 10.0.0.7:54399 -> 8.8.8.7:53 01/30/2017-19:04:34.511740 [**] Query TX 8cdb [**] www.google.com [**] A [**] 10.0.0.7:53500 -> 8.8.8.8:53 01/30/2017-19:04:34.525369 [**] Response TX 8cdb [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:53500 01/30/2017-19:04:34.525369 [**] Response TX 8cdb [**] www.google.com [**] A [**] TTL 87 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:53500 01/30/2017-19:04:36.042150 [**] Query TX 5062 [**] www.google.com [**] A [**] 10.0.0.7:41743 -> 8.8.8.7:53 01/30/2017-19:05:11.592025 [**] Query TX a39c [**] www.google.com [**] A [**] 10.0.0.7:43212 -> 8.8.8.8:53 01/30/2017-19:05:11.607615 [**] Response TX a39c [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:43212 01/30/2017-19:05:11.607615 [**] Response TX a39c [**] www.google.com [**] A [**] TTL 202 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:43212
Updated by Victor Julien almost 8 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 3.2.1
Actions