Actions
Feature #2199
closedDNS answer events compacted
Effort:
Difficulty:
Label:
Description
If a dns response packet has many answer, each of it provides a line logged.
It would be good to provide a way to compact them, and having all the answers logged in one line
and let the user to choice if enable or disable this setting.
Eric and I have proposed and discussed with Jason Ish the following format:
{
"dns": {
"type": "answer",
"id": 10451,
"rcode": "NOERROR",
"rrname": "time.windows.com",
"ttl": 2755,
"rrtype": [
"A",
"CNAME"
],
"rdata": {
"A": [
"207.46.197.32"
],
"CNAME": [
"time.microsoft.akadns.net"
]
}
}
}
But we found that is not correct, because information like ttl is lost,
and decided to follow the format below:
{
"timestamp": "2017-04-20T21:15:58.732859+0000",
"flow_id": 1507173365328989,
"pcap_cnt": 2,
"event_type": "dns",
"src_ip": "10.16.1.1",
"src_port": 53,
"dest_ip": "10.16.1.11",
"dest_port": 41805,
"proto": "UDP",
"dns": {
"type": "answer",
"id": 36146,
"rcode": "NOERROR",
"answers": [
{
"rrname": "www.suricata-ids.org",
"rrtype": "CNAME",
"ttl": 3544,
"rdata": "suricata-ids.org"
},
{
"rrname": "suricata-ids.org",
"rrtype": "A",
"ttl": 244,
"rdata": "192.0.78.24"
},
{
"rrname": "suricata-ids.org",
"rrtype": "A",
"ttl": 244,
"rdata": "192.0.78.25"
}
],
"metadata": {
"A": [
"192.168.0.78.24",
"192.168.0.78.25"
],
"CNAME": [
"suricata-ids.org"
],
}
}
}
This option can be enabled or disabled in suricata.yaml,
under eve-log.types.dns section:
- dns:
# control logging of queries and answers
# default yes, no to disable
query: yes # enable logging of DNS queries
answer: yes # enable logging of DNS answers
answer-compact: no # enable logging of DNS answers in one line
Actions