Feature #2199
closedDNS answer events compacted
Description
If a dns response packet has many answer, each of it provides a line logged.
It would be good to provide a way to compact them, and having all the answers logged in one line
and let the user to choice if enable or disable this setting.
Eric and I have proposed and discussed with Jason Ish the following format:
{
"dns": {
"type": "answer",
"id": 10451,
"rcode": "NOERROR",
"rrname": "time.windows.com",
"ttl": 2755,
"rrtype": [
"A",
"CNAME"
],
"rdata": {
"A": [
"207.46.197.32"
],
"CNAME": [
"time.microsoft.akadns.net"
]
}
}
}
But we found that is not correct, because information like ttl is lost,
and decided to follow the format below:
{
"timestamp": "2017-04-20T21:15:58.732859+0000",
"flow_id": 1507173365328989,
"pcap_cnt": 2,
"event_type": "dns",
"src_ip": "10.16.1.1",
"src_port": 53,
"dest_ip": "10.16.1.11",
"dest_port": 41805,
"proto": "UDP",
"dns": {
"type": "answer",
"id": 36146,
"rcode": "NOERROR",
"answers": [
{
"rrname": "www.suricata-ids.org",
"rrtype": "CNAME",
"ttl": 3544,
"rdata": "suricata-ids.org"
},
{
"rrname": "suricata-ids.org",
"rrtype": "A",
"ttl": 244,
"rdata": "192.0.78.24"
},
{
"rrname": "suricata-ids.org",
"rrtype": "A",
"ttl": 244,
"rdata": "192.0.78.25"
}
],
"metadata": {
"A": [
"192.168.0.78.24",
"192.168.0.78.25"
],
"CNAME": [
"suricata-ids.org"
],
}
}
}
This option can be enabled or disabled in suricata.yaml,
under eve-log.types.dns section:
- dns:
# control logging of queries and answers
# default yes, no to disable
query: yes # enable logging of DNS queries
answer: yes # enable logging of DNS answers
answer-compact: no # enable logging of DNS answers in one line
Updated by Eric Leblond over 6 years ago
Regarding the format, i'm sure some people will be interested only by the "metadata" part. Other will want the detailed version only. So we should be able to just output one of them or both of them.
Updated by Jason Ish over 6 years ago
Related issue: https://redmine.openinfosecfoundation.org/issues/2167 which is a more broad issue of covering changes to the eve format, and how to deal with it.
Updated by Ask Kemp over 6 years ago
I believe this request is similar to the one I made in https://redmine.openinfosecfoundation.org/issues/2086 "DNS answer for a NS containing multiple name servers should only be one line". My request also mentions compactingfor MX answers.
Updated by Giuseppe Longo over 6 years ago
Ask Kemp wrote:
I believe this request is similar to the one I made in https://redmine.openinfosecfoundation.org/issues/2086 "DNS answer for a NS containing multiple name servers should only be one line". My request also mentions compactingfor MX answers.
I've sent a PR for this ticket, If you want to try it: https://github.com/inliniac/suricata/pull/2884
Feedback is welcome.
Updated by Victor Julien about 6 years ago
- Status changed from New to Closed
- Target version changed from 70 to 4.1beta1
Updated by Jason Ish almost 6 years ago
- Related to Feature #2086: DNS answer for a NS containing multiple name servers should only be one line added