Feature #3298


Create a config flag in the DNS logger to limit events to only the ones in the custom field

Added by Stian Bergseth over 4 years ago. Updated over 4 years ago.

Target version:


I am currently running Suricata with the following YAML for dns logging:

- dns:
    custom: [a, aaaa, cname]

But even with this Suricata logs big zone transfers if any of the records contains A,AAAA or Cname it will log all of it. In big AD environments this will create JSON blobs that are quite big.

Actions #1

Updated by Stian Bergseth over 4 years ago

Output from suricata --dump-config

$ suricata --dump-config | grep dns
outputs.1.eve-log.types.4 = dns
outputs.1.eve-log.types.4.dns = (null)
outputs.1.eve-log.types.4.dns.custom = (null)
outputs.1.eve-log.types.4.dns.custom.0 = a
outputs.1.eve-log.types.4.dns.custom.1 = aaaa
outputs.1.eve-log.types.4.dns.custom.2 = cname
Actions #2

Updated by Stian Bergseth over 4 years ago

eve.json output from the same host

  "proto": "TCP",
  "dns": {
    "version": 2,
    "type": "answer",
    "id": 51890,
    "flags": "8400",
    "qr": true,
    "aa": true,
    "rrname": "",
    "rrtype": "PTR",
    "rcode": "NOERROR",
    "answers": [
        "rrname": "",
        "rrtype": "PTR",
        "ttl": 3600,
        "rdata": "" 

Actions #3

Updated by Victor Julien over 4 years ago

  • Status changed from New to Feedback
  • Assignee set to Jason Ish

If I understand correct it is unclear if this is a missing feature or a bug in the existing implementation?

Actions #4

Updated by Stian Bergseth over 4 years ago

I guess it depends a bit.
I was under the impression that only the specified lookups/responses in the custom field would be logged (A,AAAA,CNAME in this case), but when DNS response/requests are grouped it will also log other types of DNS records if there is at least one A/AAAA/CNAME in there.

So depending on your point of view on this, is it a bug with the custom field? Or if not, it is a new feature?

Actions #5

Updated by Jason Ish over 4 years ago

In eve dns v2, what is logged depends on the request type. You limit it, so you could only log requests/responses where the type is of "A", and so on. Of course the response can contain a whole lot more than A records.

Also, the v2 output does not support custom. Try "types" (see Perhaps custom should be a hidden alias for types as this could be a common mistake for people upgrading from older versions.

Stian: Can you retest after changing "custom" to "types"?


Also available in: Atom PDF