Project

General

Profile

Actions

Feature #3298

open

Create a config flag in the DNS logger to limit events to only the ones in the custom field

Added by Stian Bergseth almost 5 years ago. Updated almost 5 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
Effort:
low
Difficulty:
low
Label:

Description

I am currently running Suricata with the following YAML for dns logging:

- dns:
    custom: [a, aaaa, cname]

But even with this Suricata logs big zone transfers if any of the records contains A,AAAA or Cname it will log all of it. In big AD environments this will create JSON blobs that are quite big.

Actions

Also available in: Atom PDF