Project

General

Profile

Actions
Copy link

Feature #2086

closed

DNS answer for a NS containing multiple name servers should only be one line

Added by Ask Kemp over 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Giuseppe Longo
Target version:
4.1beta1
Effort:
Difficulty:
Label:

Description

Below is a sample of pcap showing 192.168.170.8 requesting the name server for isc.org. The server responds with 4 name servers.

$ tcpdump -vv -r ~/dns.cap  | grep isc
...
    192.168.170.8.32797 > 192.168.170.20.domain: [udp sum ok] 8330+ NS? isc.org. (25)
    192.168.170.20.domain > 192.168.170.8.32797: [udp sum ok] 8330 q: NS? isc.org. 4/0/0 isc.org. NS ns-ext.nrt1.isc.org., isc.org. NS ns-ext.sth1.isc.org., isc.org. NS ns-ext.isc.org., isc.org. NS ns-ext.lga1.isc.org. (124)
...

For the same packets, Suricata 3.2.1 shows the query as one line and then each of the name servers provided is each a separate log line. See below... Why is the answer just not one log line?

03/30/2005-00:52:17.740166 [**] Query TX 208a [**] isc.org [**] NS [**] 192.168.170.8:32797 -> 192.168.170.20:53

03/30/2005-00:52:17.758453 [**] Response TX 208a [**] Recursion Desired [**] 192.168.170.20:53 -> 192.168.170.8:32797
03/30/2005-00:52:17.758453 [**] Response TX 208a [**] isc.org [**] NS [**] TTL 3600 [**] ns-ext.nrt1.isc.org [**] 192.168.170.20:53 -> 192.168.170.8:32797
03/30/2005-00:52:17.758453 [**] Response TX 208a [**] isc.org [**] NS [**] TTL 3600 [**] ns-ext.sth1.isc.org [**] 192.168.170.20:53 -> 192.168.170.8:32797
03/30/2005-00:52:17.758453 [**] Response TX 208a [**] isc.org [**] NS [**] TTL 3600 [**] ns-ext.isc.org [**] 192.168.170.20:53 -> 192.168.170.8:32797
03/30/2005-00:52:17.758453 [**] Response TX 208a [**] isc.org [**] NS [**] TTL 3600 [**] ns-ext.lga1.isc.org [**] 192.168.170.20:53 -> 192.168.170.8:32797

In comparison, I looked at Bro to see how it handles this. The NS answers are located within one log line.

#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       proto   trans_id        rtt     query   qclass  qclass_name     qtype   qtype_name      rcode   rcode_name      AA      TC      RD      RA      Z       answers TTLs    rejected
#types  time    string  addr    port    addr    port    enum    count   interval        string  count   string  count   string  count   string  bool    bool    bool    bool    count   vector[string]  vector[interval]        bool

1112172737.740166       C2qvyN39DpMjGWUx62      192.168.170.8   32797   192.168.170.20  53      udp     8330    0.018287        isc.org 1       C_INTERNET      2       NS      0       NOERROR F       F       T       T       0       ns-ext.nrt1.isc.org,ns-ext.sth1.isc.org,ns-ext.isc.org,ns-ext.lga1.isc.org      3600.000000,3600.000000,3600.000000,3600.000000 F

End Goal
My end goal is to use the Suricata DNS logs in JSON format. Below are the same lines represented by Suricata as JSON.

{"timestamp":"2005-03-30T00:52:17.740166-0800","flow_id":907251321752390,"pcap_cnt":27,"event_type":"dns","src_ip":"192.168.170.8","src_port":32797,"dest_ip":"192.168.170.20","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8330,"rrname":"isc.org","rrtype":"NS","tx_id":0}}

{"timestamp":"2005-03-30T00:52:17.758453-0800","flow_id":907251321752390,"pcap_cnt":29,"event_type":"dns","src_ip":"192.168.170.20","src_port":53,"dest_ip":"192.168.170.8","dest_port":32797,"proto":"UDP","dns":{"type":"answer","id":8330,"rcode":"NOERROR","rrname":"isc.org","rrtype":"NS","ttl":3600,"rdata":"ns-ext.nrt1.isc.org"}}
{"timestamp":"2005-03-30T00:52:17.758453-0800","flow_id":907251321752390,"pcap_cnt":29,"event_type":"dns","src_ip":"192.168.170.20","src_port":53,"dest_ip":"192.168.170.8","dest_port":32797,"proto":"UDP","dns":{"type":"answer","id":8330,"rcode":"NOERROR","rrname":"isc.org","rrtype":"NS","ttl":3600,"rdata":"ns-ext.sth1.isc.org"}}
{"timestamp":"2005-03-30T00:52:17.758453-0800","flow_id":907251321752390,"pcap_cnt":29,"event_type":"dns","src_ip":"192.168.170.20","src_port":53,"dest_ip":"192.168.170.8","dest_port":32797,"proto":"UDP","dns":{"type":"answer","id":8330,"rcode":"NOERROR","rrname":"isc.org","rrtype":"NS","ttl":3600,"rdata":"ns-ext.isc.org"}}
{"timestamp":"2005-03-30T00:52:17.758453-0800","flow_id":907251321752390,"pcap_cnt":29,"event_type":"dns","src_ip":"192.168.170.20","src_port":53,"dest_ip":"192.168.170.8","dest_port":32797,"proto":"UDP","dns":{"type":"answer","id":8330,"rcode":"NOERROR","rrname":"isc.org","rrtype":"NS","ttl":3600,"rdata":"ns-ext.lga1.isc.org"}}

As JSON, I would expect a single log line to contain all the answers like the below:

{
  "timestamp": "2005-03-30T00:52:17.758453-0800",
  "flow_id": 907251321752390,
  "pcap_cnt": 29,
  "event_type": "dns",
  "src_ip": "192.168.170.20",
  "src_port": 53,
  "dest_ip": "192.168.170.8",
  "dest_port": 32797,
  "proto": "UDP",
  "dns": {
    "type": "answer",
    "id": 8330,
    "rcode": "NOERROR",
    "rrname": "isc.org",
    "rrtype": "NS",
    "ttl": 3600,
    "rdata": [
      "ns-ext.nrt1.isc.org",
      "ns-ext.sth1.isc.org",
      "ns-ext.isc.org",
      "ns-ext.lga1.isc.org" 
    ]
  }
}

My Setup
My DNS sample set is "_dns.cap (libpcap) Various DNS lookups_." from https://wiki.wireshark.org/SampleCaptures

My setup is an out of the box config from source (suricata-3.2.1) and I ensured DNS logging is enabled (see below).

        - dns:
            # control logging of queries and answers
            # default yes, no to disable
            query: yes     # enable logging of DNS queries
            answer: yes    # enable logging of DNS answers
            # control which RR types are logged
            # all enabled if custom not specified
            #custom: [a, aaaa, cname, mx, ns, ptr, txt]

Related issues 2 (0 open2 closed)

Related to Suricata - Feature #2199: DNS answer events compactedClosedGiuseppe Longo08/03/2017Actions
Related to Suricata - Feature #1198: more compact dns loggingClosedGiuseppe LongoActions
Actions
Copy link

Also available in: Atom PDF