Feature #6621
closedTask #4772: tracking: parity between fields logged and fields available for detection
Feature #5642: DNS: parity between log fields and detection
dns: add keyword for dns rcode: dns.rcode
Description
DNS records log the rcode, but it is not available for detection. For example:
{
"@timestamp": "2023-12-11T17:31:16.621Z",
"community_id": "1:wQg9tR3nlxBAH4VrGg6YGsAa6AA=",
"dest_ip": "10.16.1.1",
"dest_port": 53,
"dns": {
"answers": [
{
"rdata": "l-0007.l-msedge.net",
"rrname": "config-edge-skype.l-0007.l-msedge.net",
"rrtype": "CNAME",
"ttl": 152
}
],
"flags": "8180",
"id": 49242,
"opcode": 0,
"qr": true,
"ra": true,
"rcode": "NOERROR",
"rd": true,
"rrname": "config.edge.skype.com",
"rrtype": "HTTPS",
"type": "answer",
"version": 2
},
"event_type": "dns",
}
The dns.opcode keyword should be a good starter for the rcode as both are present in the header as integers. Even though we long to string representation of the rcode, the keyword should probably first start by accepting the integer value, then maybe we could add string representations after.
Updated by Hadiqa Alamdar Bukhari almost 2 years ago
- Target version changed from TBD to 8.0.0-beta1
Updated by Hadiqa Alamdar Bukhari almost 2 years ago
Can this keyword be negated?
Updated by Juliana Fajardini Reichow almost 2 years ago
Hadiqa Alamdar Bukhari wrote in #note-2:
Can this keyword be negated?
Answered here: https://github.com/OISF/suricata/pull/10087#discussion_r1435191583
Updated by Juliana Fajardini Reichow almost 2 years ago
First PR version: https://github.com/OISF/suricata/pull/10087
Updated by Hadiqa Alamdar Bukhari almost 2 years ago
- Status changed from New to In Progress
Updated by Jason Taylor almost 2 years ago
Thanks for working on this Hadiqa! We (ET team) were wondering if it would be possible to add comparison functionality (e.g. <, >, <>) similar to urilen?
One thing that came up also was if it would be possible to allow an array of values [0, 11, 23], for example?
Updated by Philippe Antoine almost 2 years ago
- Blocked by Bug #6281: dns: structure of query differs between "alert" and "dns" event types added
Updated by Philippe Antoine almost 2 years ago
@Jason Taylor array of values are not supported for integers yet... :-/
Updated by Jason Taylor almost 2 years ago
Philippe Antoine wrote in #note-8:
@Jason Taylor array of values are not supported for integers yet... :-/
Ah okay. Would the comparison options be possible?
Updated by Philippe Antoine almost 2 years ago
- Status changed from In Progress to In Review
Updated by Juliana Fajardini Reichow almost 2 years ago
Jason Taylor wrote in #note-9:
Philippe Antoine wrote in #note-8:
@Jason Taylor array of values are not supported for integers yet... :-/
Ah okay. Would the comparison options be possible?
The comparison options, yes :)
Updated by Juliana Fajardini Reichow over 1 year ago
- Status changed from In Review to Resolved
Updated by Philippe Antoine 11 months ago
- Status changed from Resolved to Closed