Project

General

Profile

Actions
Copy link

Bug #2012

closed

dns.log does not log unanswered queries

Added by Michael Stone about 7 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
3.2.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

With a minimal suricata.yaml file:

%YAML 1.1
---
default-log-dir: .
outputs:
  - eve-log:
      enabled: yes
      type: file
      filename: dns.json
      types:
        - dns
  - dns-log:
      enabled: yes
      filename: dns.log

the attached pcap will generate dns.json containing

{"timestamp":"2017-01-30T14:05:11.592025-0500","flow_id":1141428602734745,"pcap_cnt":9,"event_type":"dns","src_ip":"10.0.0.7","src_port":43212,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41884,"rrname":"www.google.com","rrtype":"A","tx_id":0}}
{"timestamp":"2017-01-30T14:04:17.295571-0500","flow_id":878117039211155,"pcap_cnt":1,"event_type":"dns","src_ip":"10.0.0.7","src_port":54399,"dest_ip":"8.8.8.7","dest_port":53,"proto":"UDP","dns":{"type":"query","id":766,"rrname":"www.google.com","rrtype":"A","tx_id":0}}
{"timestamp":"2017-01-30T14:04:34.511740-0500","flow_id":667466074345212,"pcap_cnt":4,"event_type":"dns","src_ip":"10.0.0.7","src_port":53500,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36059,"rrname":"www.google.com","rrtype":"A","tx_id":0}}
{"timestamp":"2017-01-30T14:05:11.607615-0500","flow_id":1141428602734745,"pcap_cnt":10,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.0.0.7","dest_port":43212,"proto":"UDP","dns":{"type":"answer","id":41884,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":202,"rdata":"172.217.1.196"}}
{"timestamp":"2017-01-30T14:04:34.525369-0500","flow_id":667466074345212,"pcap_cnt":5,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.0.0.7","dest_port":53500,"proto":"UDP","dns":{"type":"answer","id":36059,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":87,"rdata":"172.217.1.196"}}
{"timestamp":"2017-01-30T14:04:36.042150-0500","flow_id":2008599677412518,"pcap_cnt":6,"event_type":"dns","src_ip":"10.0.0.7","src_port":41743,"dest_ip":"8.8.8.7","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20578,"rrname":"www.google.com","rrtype":"A","tx_id":0}}

and dns.log containing:

01/30/2017-14:05:11.607615 [**] Query TX a39c [**] www.google.com [**] A [**] 10.0.0.7:43212 -> 8.8.8.8:53
01/30/2017-14:04:34.525369 [**] Query TX 8cdb [**] www.google.com [**] A [**] 10.0.0.7:53500 -> 8.8.8.8:53
01/30/2017-14:04:34.525369 [**] Response TX 8cdb [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:53500
01/30/2017-14:05:11.607615 [**] Response TX a39c [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:43212
01/30/2017-14:04:34.525369 [**] Response TX 8cdb [**] www.google.com [**] A [**] TTL 87 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:53500
01/30/2017-14:05:11.607615 [**] Response TX a39c [**] www.google.com [**] A [**] TTL 202 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:43212

Note that the queries to IP 8.8.8.7 do not appear in dns.log but do appear in dns.json. Ideally dns.log would also include those queries.

Files

dnslookups2.pcap (1.04 KB) dnslookups2.pcap Michael Stone, 01/30/2017 01:53 PM
Actions
Copy link
 #1

Updated by Victor Julien about 7 years ago

  • Description updated (diff)
  • Status changed from New to Assigned
  • Assignee set to Jason Ish
  • Target version set to 70
Actions
Copy link
 #2

Updated by Jason Ish about 7 years ago

Michael Stone: Can I include this pcap in my public test suite on Github?

Actions
Copy link
 #3

Updated by Jason Ish about 7 years ago

Just a note on the fix here (https://github.com/inliniac/suricata/pull/2532):

You will not see all 3 requests to 8.8.8.7 as they are identical and the DNS parser has a duplicate checker, which is why they are not seen in the JSON log. Anyways, the new output is:

01/30/2017-19:04:17.295571 [**] Query TX 02fe [**] www.google.com [**] A [**] 10.0.0.7:54399 -> 8.8.8.7:53
01/30/2017-19:04:34.511740 [**] Query TX 8cdb [**] www.google.com [**] A [**] 10.0.0.7:53500 -> 8.8.8.8:53
01/30/2017-19:04:34.525369 [**] Response TX 8cdb [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:53500
01/30/2017-19:04:34.525369 [**] Response TX 8cdb [**] www.google.com [**] A [**] TTL 87 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:53500
01/30/2017-19:04:36.042150 [**] Query TX 5062 [**] www.google.com [**] A [**] 10.0.0.7:41743 -> 8.8.8.7:53
01/30/2017-19:05:11.592025 [**] Query TX a39c [**] www.google.com [**] A [**] 10.0.0.7:43212 -> 8.8.8.8:53
01/30/2017-19:05:11.607615 [**] Response TX a39c [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:43212
01/30/2017-19:05:11.607615 [**] Response TX a39c [**] www.google.com [**] A [**] TTL 202 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:43212
Actions
Copy link
 #4

Updated by Victor Julien about 7 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 3.2.1
Actions
Copy link

Also available in: Atom PDF