Project

General

Profile

Actions

Optimization #2272

open

Analyze DNS response if query is not present

Added by Chris Knott about 5 years ago. Updated about 1 year ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

A DNS event should be logged in the eve.json file if the DNS response is available in the packet stream only (meaning that the DNS query to the response is missing). At the moment DNS queries are always generating a DNS event entry. DNS responses are only generating an entry if the appropriate DNS query is present in the packet stream. This behavior is the same in the C and in the RUST implementation of the DNS plugin.
The test PCAP attached:
dns.pcap: 2 packets, a DNS query and the corresponding response; generating 2 DNS event entires in the eve.json file
dnsquery.pcap: Only the query contained in dns.pcap; generating 1 DNS even entry in the eve.json file
dnsresponse.pcap: Only the response contained in dns.pcap; generating 0 DNS event entries in the eve.json file (should generate 1 entry)


Files

dns.pcap (208 Bytes) dns.pcap Chris Knott, 11/16/2017 03:47 PM
dnsquery.pcap (108 Bytes) dnsquery.pcap Chris Knott, 11/16/2017 03:47 PM
dnsresponse.pcap (124 Bytes) dnsresponse.pcap Chris Knott, 11/16/2017 03:47 PM

Related issues 6 (4 open2 closed)

Related to Task #2309: SuriCon 2017 brainstormAssignedVictor JulienActions
Related to Task #2278: tracking: failing betterNewOISF DevActions
Related to Bug #2146: DNS answer not logged with eve-logClosedJason IshActions
Related to Task #3288: Suricon 2019 brainstormAssignedVictor JulienActions
Related to Bug #4135: dns: response only udp not detected as dnsAssignedJason IshActions
Blocked by Feature #2572: extend protocol detection to specify flow directionClosedVictor JulienActions
Actions

Also available in: Atom PDF