Feature #6621
closedTask #4772: tracking: parity between fields logged and fields available for detection
Feature #5642: DNS: parity between log fields and detection
dns: add keyword for dns rcode: dns.rcode
Description
DNS records log the rcode, but it is not available for detection. For example:
{
"@timestamp": "2023-12-11T17:31:16.621Z",
"community_id": "1:wQg9tR3nlxBAH4VrGg6YGsAa6AA=",
"dest_ip": "10.16.1.1",
"dest_port": 53,
"dns": {
"answers": [
{
"rdata": "l-0007.l-msedge.net",
"rrname": "config-edge-skype.l-0007.l-msedge.net",
"rrtype": "CNAME",
"ttl": 152
}
],
"flags": "8180",
"id": 49242,
"opcode": 0,
"qr": true,
"ra": true,
"rcode": "NOERROR",
"rd": true,
"rrname": "config.edge.skype.com",
"rrtype": "HTTPS",
"type": "answer",
"version": 2
},
"event_type": "dns",
}
The dns.opcode keyword should be a good starter for the rcode as both are present in the header as integers. Even though we long to string representation of the rcode, the keyword should probably first start by accepting the integer value, then maybe we could add string representations after.
HA Updated by Hadiqa Alamdar Bukhari over 2 years ago
- Target version changed from TBD to 8.0.0-beta1
HA Updated by Hadiqa Alamdar Bukhari over 2 years ago
Can this keyword be negated?
JF Updated by Juliana Fajardini Reichow over 2 years ago
Hadiqa Alamdar Bukhari wrote in #note-2:
Can this keyword be negated?
Answered here: https://github.com/OISF/suricata/pull/10087#discussion_r1435191583
JF Updated by Juliana Fajardini Reichow over 2 years ago
First PR version: https://github.com/OISF/suricata/pull/10087
HA Updated by Hadiqa Alamdar Bukhari over 2 years ago
- Status changed from New to In Progress
JT Updated by Jason Taylor over 2 years ago
Thanks for working on this Hadiqa! We (ET team) were wondering if it would be possible to add comparison functionality (e.g. <, >, <>) similar to urilen?
One thing that came up also was if it would be possible to allow an array of values [0, 11, 23], for example?
PA Updated by Philippe Antoine about 2 years ago
- Blocked by Bug #6281: dns: structure of query differs between "alert" and "dns" event types added
PA Updated by Philippe Antoine about 2 years ago
@Jason Taylor array of values are not supported for integers yet... :-/
JT Updated by Jason Taylor about 2 years ago
Philippe Antoine wrote in #note-8:
@Jason Taylor array of values are not supported for integers yet... :-/
Ah okay. Would the comparison options be possible?
PA Updated by Philippe Antoine about 2 years ago
- Status changed from In Progress to In Review
JF Updated by Juliana Fajardini Reichow about 2 years ago
Jason Taylor wrote in #note-9:
Philippe Antoine wrote in #note-8:
@Jason Taylor array of values are not supported for integers yet... :-/
Ah okay. Would the comparison options be possible?
The comparison options, yes :)
JF Updated by Juliana Fajardini Reichow about 2 years ago
- Status changed from In Review to Resolved
PA Updated by Philippe Antoine over 1 year ago
- Status changed from Resolved to Closed