Project

General

Profile

Actions
Copy link

Feature #5642

open

Task #6597: rules keyword/output parity: improve

DNS: parity between log fields and detection

Added by Jason Ish over 1 year ago. Updated 14 days ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Subtasks 2 (1 open1 closed)

Feature #6621: dns: add keyword for dns rcode: dns.rcodeResolvedHadiqa Alamdar BukhariActions
Feature #6666: dns: add keyword for dns rrtype: dns.rrtypeClosedHadiqa Alamdar BukhariActions

Related issues 2 (2 open0 closed)

Related to Suricata - Task #4772: tracking: parity between fields logged and fields available for detectionAssignedVictor JulienActions
Related to Suricata - Task #6443: Suricon 2023 brainstormAssignedVictor JulienActions
Actions
Copy link
 #1

Updated by Jason Ish over 1 year ago

  • Related to Task #4772: tracking: parity between fields logged and fields available for detection added
Actions
Copy link
 #2

Updated by Philippe Antoine 6 months ago

  • Related to Task #6443: Suricon 2023 brainstorm added
Actions
Copy link
 #3

Updated by Juliana Fajardini Reichow 5 months ago

  • Assignee changed from OISF Dev to Hadiqa Alamdar Bukhari
  • Target version changed from TBD to 8.0.0-beta1
Actions
Copy link
 #4

Updated by Juliana Fajardini Reichow 5 months ago

  • Parent task set to #6597
Actions
Copy link
 #5

Updated by Jason Ish 5 months ago

  • Subtask #6621 added
Actions
Copy link
 #6

Updated by Hadiqa Alamdar Bukhari 4 months ago

After comparing the dns fields in rust/src/dns/log.rs and schema.json files I've found the following fields to be missing in the schema.json file:
  • aa boolean field is missing in the answer array. It is present in dns object properties.
  • tc boolean field is missing in the answer array.
  • z boolean field is missing in the answer array. It is present for query array and dns object properties.
  • I also don't see the sshfp field anywhere in the dns object while I do see the srv field in the answers array and soa field in the authorities array.
Actions
Copy link
 #7

Updated by Hadiqa Alamdar Bukhari 4 months ago

The fields which have been implemented include:
- dns.query
- dns.opcode
- dns.rcode : in progress
- dns.answer.name
- dns.query.name
Awaiting further instructions on which fields to implement first.

Actions
Copy link
 #8

Updated by Jason Ish 4 months ago

Hadiqa Alamdar Bukhari wrote in #note-7:

The fields which have been implemented include:
- dns.query
- dns.opcode
- dns.rcode : in progress
- dns.answer.name
- dns.query.name
Awaiting further instructions on which fields to implement first.

- rtype would be a good next one, it would be much like opcode or rcode
- then maybe "a" and "aaaa", which are more similar to dns.answer.name as they would be sticky buffers
- or some other protocol?

Actions
Copy link
 #9

Updated by Hadiqa Alamdar Bukhari 4 months ago

Jason Ish wrote in #note-8:

Hadiqa Alamdar Bukhari wrote in #note-7:

The fields which have been implemented include:
- dns.query
- dns.opcode
- dns.rcode : in progress
- dns.answer.name
- dns.query.name
Awaiting further instructions on which fields to implement first.

- rtype would be a good next one, it would be much like opcode or rcode
- then maybe "a" and "aaaa", which are more similar to dns.answer.name as they would be sticky buffers
- or some other protocol?

Got it, thanks!

Actions
Copy link
 #10

Updated by Hadiqa Alamdar Bukhari 4 months ago

  • Related to Feature #6666: dns: add keyword for dns rrtype: dns.rrtype added
Actions
Copy link
 #11

Updated by Shivani Bhardwaj 4 months ago

  • Subtask #6666 added
Actions
Copy link
 #12

Updated by Juliana Fajardini Reichow 14 days ago

  • Assignee changed from Hadiqa Alamdar Bukhari to OISF Dev

Since we have subtickets that are directly assigned, I'll keep this parent ticket as assigned to OISF Dev, so we know that it is available for others to work on.

Actions
Copy link

Also available in: Atom PDF