Feature #5642
openTask #6597: rules keyword/output parity: improve
DNS: parity between log fields and detection
Added by Jason Ish over 1 year ago. Updated 18 days ago.
Updated by Jason Ish over 1 year ago
- Related to Task #4772: tracking: parity between fields logged and fields available for detection added
Updated by Philippe Antoine 6 months ago
- Related to Task #6443: Suricon 2023 brainstorm added
Updated by Juliana Fajardini Reichow 5 months ago
- Assignee changed from OISF Dev to Hadiqa Alamdar Bukhari
- Target version changed from TBD to 8.0.0-beta1
Updated by Hadiqa Alamdar Bukhari 4 months ago
- aa boolean field is missing in the answer array. It is present in dns object properties.
- tc boolean field is missing in the answer array.
- z boolean field is missing in the answer array. It is present for query array and dns object properties.
- I also don't see the sshfp field anywhere in the dns object while I do see the srv field in the answers array and soa field in the authorities array.
Updated by Hadiqa Alamdar Bukhari 4 months ago
The fields which have been implemented include:
- dns.query
- dns.opcode
- dns.rcode : in progress
- dns.answer.name
- dns.query.name
Awaiting further instructions on which fields to implement first.
Updated by Jason Ish 4 months ago
Hadiqa Alamdar Bukhari wrote in #note-7:
The fields which have been implemented include:
- dns.query
- dns.opcode
- dns.rcode : in progress
- dns.answer.name
- dns.query.name
Awaiting further instructions on which fields to implement first.
- rtype would be a good next one, it would be much like opcode or rcode
- then maybe "a" and "aaaa", which are more similar to dns.answer.name as they would be sticky buffers
- or some other protocol?
Updated by Hadiqa Alamdar Bukhari 4 months ago
Jason Ish wrote in #note-8:
Hadiqa Alamdar Bukhari wrote in #note-7:
The fields which have been implemented include:
- dns.query
- dns.opcode
- dns.rcode : in progress
- dns.answer.name
- dns.query.name
Awaiting further instructions on which fields to implement first.- rtype would be a good next one, it would be much like opcode or rcode
- then maybe "a" and "aaaa", which are more similar to dns.answer.name as they would be sticky buffers
- or some other protocol?
Got it, thanks!
Updated by Hadiqa Alamdar Bukhari 4 months ago
- Related to Feature #6666: dns: add keyword for dns rrtype: dns.rrtype added
Updated by Juliana Fajardini Reichow 18 days ago
- Assignee changed from Hadiqa Alamdar Bukhari to OISF Dev
Since we have subtickets that are directly assigned, I'll keep this parent ticket as assigned to OISF Dev, so we know that it is available for others to work on.