Project

General

Profile

Actions

Bug #2012

closed

dns.log does not log unanswered queries

Added by Michael Stone almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

With a minimal suricata.yaml file:

%YAML 1.1
---
default-log-dir: .
outputs:
  - eve-log:
      enabled: yes
      type: file
      filename: dns.json
      types:
        - dns
  - dns-log:
      enabled: yes
      filename: dns.log

the attached pcap will generate dns.json containing

{"timestamp":"2017-01-30T14:05:11.592025-0500","flow_id":1141428602734745,"pcap_cnt":9,"event_type":"dns","src_ip":"10.0.0.7","src_port":43212,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41884,"rrname":"www.google.com","rrtype":"A","tx_id":0}}
{"timestamp":"2017-01-30T14:04:17.295571-0500","flow_id":878117039211155,"pcap_cnt":1,"event_type":"dns","src_ip":"10.0.0.7","src_port":54399,"dest_ip":"8.8.8.7","dest_port":53,"proto":"UDP","dns":{"type":"query","id":766,"rrname":"www.google.com","rrtype":"A","tx_id":0}}
{"timestamp":"2017-01-30T14:04:34.511740-0500","flow_id":667466074345212,"pcap_cnt":4,"event_type":"dns","src_ip":"10.0.0.7","src_port":53500,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36059,"rrname":"www.google.com","rrtype":"A","tx_id":0}}
{"timestamp":"2017-01-30T14:05:11.607615-0500","flow_id":1141428602734745,"pcap_cnt":10,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.0.0.7","dest_port":43212,"proto":"UDP","dns":{"type":"answer","id":41884,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":202,"rdata":"172.217.1.196"}}
{"timestamp":"2017-01-30T14:04:34.525369-0500","flow_id":667466074345212,"pcap_cnt":5,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.0.0.7","dest_port":53500,"proto":"UDP","dns":{"type":"answer","id":36059,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":87,"rdata":"172.217.1.196"}}
{"timestamp":"2017-01-30T14:04:36.042150-0500","flow_id":2008599677412518,"pcap_cnt":6,"event_type":"dns","src_ip":"10.0.0.7","src_port":41743,"dest_ip":"8.8.8.7","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20578,"rrname":"www.google.com","rrtype":"A","tx_id":0}}

and dns.log containing:

01/30/2017-14:05:11.607615 [**] Query TX a39c [**] www.google.com [**] A [**] 10.0.0.7:43212 -> 8.8.8.8:53
01/30/2017-14:04:34.525369 [**] Query TX 8cdb [**] www.google.com [**] A [**] 10.0.0.7:53500 -> 8.8.8.8:53
01/30/2017-14:04:34.525369 [**] Response TX 8cdb [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:53500
01/30/2017-14:05:11.607615 [**] Response TX a39c [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:43212
01/30/2017-14:04:34.525369 [**] Response TX 8cdb [**] www.google.com [**] A [**] TTL 87 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:53500
01/30/2017-14:05:11.607615 [**] Response TX a39c [**] www.google.com [**] A [**] TTL 202 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:43212

Note that the queries to IP 8.8.8.7 do not appear in dns.log but do appear in dns.json. Ideally dns.log would also include those queries.


Files

dnslookups2.pcap (1.04 KB) dnslookups2.pcap Michael Stone, 01/30/2017 01:53 PM
Actions #1

Updated by Victor Julien almost 5 years ago

  • Description updated (diff)
  • Status changed from New to Assigned
  • Assignee set to Jason Ish
  • Target version set to 70
Actions #2

Updated by Jason Ish almost 5 years ago

Michael Stone: Can I include this pcap in my public test suite on Github?

Actions #3

Updated by Jason Ish almost 5 years ago

Just a note on the fix here (https://github.com/inliniac/suricata/pull/2532):

You will not see all 3 requests to 8.8.8.7 as they are identical and the DNS parser has a duplicate checker, which is why they are not seen in the JSON log. Anyways, the new output is:

01/30/2017-19:04:17.295571 [**] Query TX 02fe [**] www.google.com [**] A [**] 10.0.0.7:54399 -> 8.8.8.7:53
01/30/2017-19:04:34.511740 [**] Query TX 8cdb [**] www.google.com [**] A [**] 10.0.0.7:53500 -> 8.8.8.8:53
01/30/2017-19:04:34.525369 [**] Response TX 8cdb [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:53500
01/30/2017-19:04:34.525369 [**] Response TX 8cdb [**] www.google.com [**] A [**] TTL 87 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:53500
01/30/2017-19:04:36.042150 [**] Query TX 5062 [**] www.google.com [**] A [**] 10.0.0.7:41743 -> 8.8.8.7:53
01/30/2017-19:05:11.592025 [**] Query TX a39c [**] www.google.com [**] A [**] 10.0.0.7:43212 -> 8.8.8.8:53
01/30/2017-19:05:11.607615 [**] Response TX a39c [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:43212
01/30/2017-19:05:11.607615 [**] Response TX a39c [**] www.google.com [**] A [**] TTL 202 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:43212
Actions #4

Updated by Victor Julien almost 5 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 3.2.1
Actions

Also available in: Atom PDF