https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022022-11-06T16:03:49ZOpen Information Security FoundationSuricata - Feature #5642: DNS: parity between log fields and detectionhttps://redmine.openinfosecfoundation.org/issues/5642?journal_id=253362022-11-06T16:03:49ZJason Ishjason.ish@oisf.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-5 status-2 priority-4 priority-default parent" href="/issues/4772">Task #4772</a>: tracking: parity between fields logged and fields available for detection</i> added</li></ul> Suricata - Feature #5642: DNS: parity between log fields and detectionhttps://redmine.openinfosecfoundation.org/issues/5642?journal_id=306232023-11-08T16:21:12ZPhilippe Antoine
<ul><li><strong>Related to</strong> <i><a class="issue tracker-5 status-2 priority-4 priority-default child" href="/issues/6443">Task #6443</a>: Suricon 2023 brainstorm</i> added</li></ul> Suricata - Feature #5642: DNS: parity between log fields and detectionhttps://redmine.openinfosecfoundation.org/issues/5642?journal_id=314422023-12-04T13:34:30ZJuliana Fajardini Reichow
<ul><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Hadiqa Alamdar Bukhari</i></li><li><strong>Target version</strong> changed from <i>TBD</i> to <i>8.0.0-beta1</i></li></ul> Suricata - Feature #5642: DNS: parity between log fields and detectionhttps://redmine.openinfosecfoundation.org/issues/5642?journal_id=314452023-12-04T21:07:54ZJuliana Fajardini Reichow
<ul><li><strong>Parent task</strong> set to <i>#6597</i></li></ul> Suricata - Feature #5642: DNS: parity between log fields and detectionhttps://redmine.openinfosecfoundation.org/issues/5642?journal_id=315452023-12-11T17:34:48ZJason Ishjason.ish@oisf.net
<ul><li><strong>Subtask</strong> <i>#6621</i> added</li></ul> Suricata - Feature #5642: DNS: parity between log fields and detectionhttps://redmine.openinfosecfoundation.org/issues/5642?journal_id=317782024-01-04T16:46:31ZHadiqa Alamdar Bukhari
<ul></ul>After comparing the dns fields in rust/src/dns/log.rs and schema.json files I've found the following fields to be missing in the schema.json file:
<ul>
<li>aa boolean field is missing in the answer array. It is present in dns object properties.</li>
<li>tc boolean field is missing in the answer array.</li>
<li>z boolean field is missing in the answer array. It is present for query array and dns object properties.</li>
<li>I also don't see the sshfp field anywhere in the dns object while I do see the srv field in the answers array and soa field in the authorities array.</li>
</ul> Suricata - Feature #5642: DNS: parity between log fields and detectionhttps://redmine.openinfosecfoundation.org/issues/5642?journal_id=317792024-01-04T16:53:59ZHadiqa Alamdar Bukhari
<ul></ul><p>The fields which have been implemented include: <br />- dns.query<br />- dns.opcode<br />- dns.rcode : in progress<br />- dns.answer.name<br />- dns.query.name<br />Awaiting further instructions on which fields to implement first.</p> Suricata - Feature #5642: DNS: parity between log fields and detectionhttps://redmine.openinfosecfoundation.org/issues/5642?journal_id=317812024-01-04T18:24:51ZJason Ishjason.ish@oisf.net
<ul></ul><p>Hadiqa Alamdar Bukhari wrote in <a href="#note-7">#note-7</a>:</p>
<blockquote>
<p>The fields which have been implemented include: <br />- dns.query<br />- dns.opcode<br />- dns.rcode : in progress<br />- dns.answer.name<br />- dns.query.name<br />Awaiting further instructions on which fields to implement first.</p>
</blockquote>
<p>- rtype would be a good next one, it would be much like opcode or rcode<br />- then maybe "a" and "aaaa", which are more similar to dns.answer.name as they would be sticky buffers<br />- or some other protocol?</p> Suricata - Feature #5642: DNS: parity between log fields and detectionhttps://redmine.openinfosecfoundation.org/issues/5642?journal_id=317822024-01-04T18:48:50ZHadiqa Alamdar Bukhari
<ul></ul><p>Jason Ish wrote in <a href="#note-8">#note-8</a>:</p>
<blockquote>
<p>Hadiqa Alamdar Bukhari wrote in <a href="#note-7">#note-7</a>:</p>
<blockquote>
<p>The fields which have been implemented include: <br />- dns.query<br />- dns.opcode<br />- dns.rcode : in progress<br />- dns.answer.name<br />- dns.query.name<br />Awaiting further instructions on which fields to implement first.</p>
</blockquote>
<p>- rtype would be a good next one, it would be much like opcode or rcode<br />- then maybe "a" and "aaaa", which are more similar to dns.answer.name as they would be sticky buffers<br />- or some other protocol?</p>
</blockquote>
<p>Got it, thanks!</p> Suricata - Feature #5642: DNS: parity between log fields and detectionhttps://redmine.openinfosecfoundation.org/issues/5642?journal_id=318452024-01-09T11:29:18ZHadiqa Alamdar Bukhari
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-8 priority-4 priority-default child" href="/issues/6666">Feature #6666</a>: dns: add keyword for dns rrtype: dns.rrtype</i> added</li></ul> Suricata - Feature #5642: DNS: parity between log fields and detectionhttps://redmine.openinfosecfoundation.org/issues/5642?journal_id=318482024-01-09T11:48:21ZShivani Bhardwaj
<ul><li><strong>Subtask</strong> <i>#6666</i> added</li></ul>