Project

General

Profile

Actions
Copy link

Feature #5642

open
JI JI

Task #4772: tracking: parity between fields logged and fields available for detection

DNS: parity between log fields and detection

Feature #5642: DNS: parity between log fields and detection

Added by Jason Ish over 3 years ago. Updated 10 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Jason Ish
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Subtasks 2 (0 open2 closed)

Feature #6621: dns: add keyword for dns rcode: dns.rcodeClosedHadiqa Alamdar BukhariActions
Feature #6666: dns: add keyword for dns rrtype: dns.rrtypeClosedHadiqa Alamdar BukhariActions

Related issues 5 (4 open1 closed)

Related to Suricata - Task #6443: Suricon 2023 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #4153: app-layer: rust derive style macros to generate common codeAssignedJason IshActions
Related to Suricata - Feature #2448: dns: additional buffers for DNS ResponsesNewJason IshActions
Related to Suricata - Optimization #7529: detect/dns: move wrapper code from C to rustClosedPhilippe AntoineActions
Blocks Suricata - Story #7901: 9.0.0: rules: improve rules keyword/output parityAssignedVictor JulienActions

JI Updated by Jason Ish over 3 years ago Actions
Copy link
 #1

  • Related to Task #4772: tracking: parity between fields logged and fields available for detection added

PA Updated by Philippe Antoine over 2 years ago Actions
Copy link
 #2

  • Related to Task #6443: Suricon 2023 brainstorm added

JF Updated by Juliana Fajardini Reichow over 2 years ago Actions
Copy link
 #3

  • Assignee changed from OISF Dev to Hadiqa Alamdar Bukhari
  • Target version changed from TBD to 8.0.0-beta1

JF Updated by Juliana Fajardini Reichow over 2 years ago Actions
Copy link
 #4

  • Parent task set to #6597

JI Updated by Jason Ish over 2 years ago Actions
Copy link
 #5

  • Subtask #6621 added

HA Updated by Hadiqa Alamdar Bukhari over 2 years ago Actions
Copy link
 #6

After comparing the dns fields in rust/src/dns/log.rs and schema.json files I've found the following fields to be missing in the schema.json file:
  • aa boolean field is missing in the answer array. It is present in dns object properties.
  • tc boolean field is missing in the answer array.
  • z boolean field is missing in the answer array. It is present for query array and dns object properties.
  • I also don't see the sshfp field anywhere in the dns object while I do see the srv field in the answers array and soa field in the authorities array.

HA Updated by Hadiqa Alamdar Bukhari over 2 years ago Actions
Copy link
 #7

The fields which have been implemented include:
- dns.query
- dns.opcode
- dns.rcode : in progress
- dns.answer.name
- dns.query.name
Awaiting further instructions on which fields to implement first.

JI Updated by Jason Ish over 2 years ago Actions
Copy link
 #8

Hadiqa Alamdar Bukhari wrote in #note-7:

The fields which have been implemented include:
- dns.query
- dns.opcode
- dns.rcode : in progress
- dns.answer.name
- dns.query.name
Awaiting further instructions on which fields to implement first.

- rtype would be a good next one, it would be much like opcode or rcode
- then maybe "a" and "aaaa", which are more similar to dns.answer.name as they would be sticky buffers
- or some other protocol?

HA Updated by Hadiqa Alamdar Bukhari over 2 years ago Actions
Copy link
 #9

Jason Ish wrote in #note-8:

Hadiqa Alamdar Bukhari wrote in #note-7:

The fields which have been implemented include:
- dns.query
- dns.opcode
- dns.rcode : in progress
- dns.answer.name
- dns.query.name
Awaiting further instructions on which fields to implement first.

- rtype would be a good next one, it would be much like opcode or rcode
- then maybe "a" and "aaaa", which are more similar to dns.answer.name as they would be sticky buffers
- or some other protocol?

Got it, thanks!

HA Updated by Hadiqa Alamdar Bukhari about 2 years ago Actions
Copy link
 #10

  • Related to Feature #6666: dns: add keyword for dns rrtype: dns.rrtype added

SB Updated by Shivani Bhardwaj about 2 years ago Actions
Copy link
 #11

  • Subtask #6666 added

JF Updated by Juliana Fajardini Reichow almost 2 years ago Actions
Copy link
 #12

  • Assignee changed from Hadiqa Alamdar Bukhari to OISF Dev

Since we have subtickets that are directly assigned, I'll keep this parent ticket as assigned to OISF Dev, so we know that it is available for others to work on.

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #13

  • Assignee changed from OISF Dev to Jason Ish

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #14

  • Related to Feature #4153: app-layer: rust derive style macros to generate common code added

JI Updated by Jason Ish almost 2 years ago Actions
Copy link
 #15

  • Related to Feature #2448: dns: additional buffers for DNS Responses added

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #16

  • Parent task changed from #6597 to #4772

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #17

  • Blocks Story #6597: rules: improve rules keyword/output parity added

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #18

  • Status changed from New to Assigned

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #19

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #20

  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1

VJ Updated by Victor Julien 10 months ago Actions
Copy link
 #21

  • Target version changed from 8.0.0-rc1 to 9.0.0-beta1

VJ Updated by Victor Julien 7 months ago Actions
Copy link
 #22

  • Blocks deleted (Story #6597: rules: improve rules keyword/output parity)

VJ Updated by Victor Julien 7 months ago Actions
Copy link
 #23

  • Blocks Story #7901: 9.0.0: rules: improve rules keyword/output parity added
Actions
Copy link

Also available in: PDF Atom