Project

General

Profile

Actions

Feature #3298

open

Create a config flag in the DNS logger to limit events to only the ones in the custom field

Added by Stian Bergseth about 5 years ago. Updated about 5 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
Effort:
low
Difficulty:
low
Label:

Description

I am currently running Suricata with the following YAML for dns logging:

- dns:
    custom: [a, aaaa, cname]

But even with this Suricata logs big zone transfers if any of the records contains A,AAAA or Cname it will log all of it. In big AD environments this will create JSON blobs that are quite big.

Actions #1

Updated by Stian Bergseth about 5 years ago

Output from suricata --dump-config

$ suricata --dump-config | grep dns
outputs.1.eve-log.types.4 = dns
outputs.1.eve-log.types.4.dns = (null)
outputs.1.eve-log.types.4.dns.custom = (null)
outputs.1.eve-log.types.4.dns.custom.0 = a
outputs.1.eve-log.types.4.dns.custom.1 = aaaa
outputs.1.eve-log.types.4.dns.custom.2 = cname
Actions #2

Updated by Stian Bergseth about 5 years ago

eve.json output from the same host

  "proto": "TCP",
  "dns": {
    "version": 2,
    "type": "answer",
    "id": 51890,
    "flags": "8400",
    "qr": true,
    "aa": true,
    "rrname": "90.254.202.209.in-addr.arpa",
    "rrtype": "PTR",
    "rcode": "NOERROR",
    "answers": [
      {
        "rrname": "90.254.202.209.in-addr.arpa",
        "rrtype": "PTR",
        "ttl": 3600,
        "rdata": "advertising.lycos.at" 
      },

Actions #3

Updated by Victor Julien about 5 years ago

  • Status changed from New to Feedback
  • Assignee set to Jason Ish

If I understand correct it is unclear if this is a missing feature or a bug in the existing implementation?

Actions #4

Updated by Stian Bergseth about 5 years ago

I guess it depends a bit.
I was under the impression that only the specified lookups/responses in the custom field would be logged (A,AAAA,CNAME in this case), but when DNS response/requests are grouped it will also log other types of DNS records if there is at least one A/AAAA/CNAME in there.

So depending on your point of view on this, is it a bug with the custom field? Or if not, it is a new feature?

Actions #5

Updated by Jason Ish about 5 years ago

In eve dns v2, what is logged depends on the request type. You limit it, so you could only log requests/responses where the type is of "A", and so on. Of course the response can contain a whole lot more than A records.

Also, the v2 output does not support custom. Try "types" (see https://suricata.readthedocs.io/en/suricata-5.0.0/output/eve/eve-json-output.html#dns). Perhaps custom should be a hidden alias for types as this could be a common mistake for people upgrading from older versions.

Stian: Can you retest after changing "custom" to "types"?

Actions

Also available in: Atom PDF