Bug #2146
closedDNS answer not logged with eve-log
Description
Tested on Suricata version: 4.0.0-beta1 RELEASE
The following DNS answer is not logged to the eve-log file although the dns event type is enabled for queries and answers:
Frame Number = 71
IPSrc = 192.168.61.2
PortSrc = 53
IPDst = 192.168.1.14
PortDst = 61884
Protocol = UDP
DNS Info = Standard query response 0x57c0 A a6281279.yolox.net A 91.223.216.67 NS ns11.ayola.net NS ns10.ayola.net
Related suricata.yaml sections follows:
HOME_NET: "[192.168.1.0/24]"
DNS_SERVERS: "$HOME_NET"
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
types:
- alert:
http: yes
tls: yes
ssh: no
smtp: no
dnp3: no
vars: no
tagged-packets: yes
xff:
enabled: no
- dns:
query: yes
answer: yes
- tls:
- files:
force-magic: yes
force-hash: [sha1]
- flow
The following eve.json line is the only reference to the UDP port 61884 and as you can see is of type "flow":
{"timestamp":"2016-05-09T15:15:58.067889+0200","flow_id":1602128252140595,"event_type":"flow","src_ip":"192.168.61.2","src_port":53,"dest_ip":"192.168.1.14","dest_port":61884,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":138,"bytes_toclient":0,"start":"2016-05-09T15:15:06.818227+0200","end":"2016-05-09T15:15:06.818227+0200","age":0,"state":"new","reason":"timeout","alerted":false}}
Find attached the original pcap
Files
Updated by Fanny Dwargee over 7 years ago
Forget to add that the platform is:
~$ uname -a
Linux mad-dev 3.2.0-4-amd64 #1 SMP Debian 3.2.86-1 x86_64 GNU/Linux
Updated by Jason Ish over 7 years ago
Fanny Dwargee wrote:
Forget to add that the platform is:
[...]
Did you build with Rust support (--enable-rust)?
Updated by Fanny Dwargee over 7 years ago
Do you want me to rebuild with that option?
Updated by Jason Ish over 7 years ago
Fanny Dwargee wrote:
Do you want me to rebuild with that option?
No. Just need to know which code to verify this with. But will check and fix against both.
Updated by Jason Ish over 7 years ago
- Assignee set to Jason Ish
- Target version set to 70
Updated by Fanny Dwargee over 7 years ago
Just FYI...
tested against Suricata v4.0.0-rc1 and the issue still persists
Updated by Jason Ish over 7 years ago
So unfortunately DNS does require the request to be seen first, and as this is a response with no request it won't get logged.
This is something we'll be looking into, but not in the 4.0 time frame as it does require some non-trivial changes.
Updated by Fanny Dwargee over 7 years ago
Ok, thank you so much for your time. :)
Updated by Victor Julien over 6 years ago
- Status changed from New to Assigned
- Target version changed from 70 to 5.0beta1
Working on protocol detection changes that will allow for proper flow reversal and toclient only streams, so when that is ready this can get addressed.
Updated by Victor Julien over 6 years ago
- Related to Optimization #2272: Analyze DNS response if query is not present added
Updated by Victor Julien over 5 years ago
- Target version changed from 5.0beta1 to 5.0rc1
Updated by Jason Ish over 5 years ago
- Status changed from Assigned to Closed
Fixed and merged to master with commit:5f1d21f2479ecb29e50b4181e8b186e8c44db441