Project

General

Custom queries

Profile

Actions
Copy link

Feature #6621

closed

Task #4772: tracking: parity between fields logged and fields available for detection

Feature #5642: DNS: parity between log fields and detection

dns: add keyword for dns rcode: dns.rcode

Added by Jason Ish over 1 year ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Hadiqa Alamdar Bukhari
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

DNS records log the rcode, but it is not available for detection. For example:

{
    "@timestamp": "2023-12-11T17:31:16.621Z",
    "community_id": "1:wQg9tR3nlxBAH4VrGg6YGsAa6AA=",
    "dest_ip": "10.16.1.1",
    "dest_port": 53,
    "dns": {
        "answers": [
            {
                "rdata": "l-0007.l-msedge.net",
                "rrname": "config-edge-skype.l-0007.l-msedge.net",
                "rrtype": "CNAME",
                "ttl": 152
            }
        ],
        "flags": "8180",
        "id": 49242,
        "opcode": 0,
        "qr": true,
        "ra": true,
        "rcode": "NOERROR",
        "rd": true,
        "rrname": "config.edge.skype.com",
        "rrtype": "HTTPS",
        "type": "answer",
        "version": 2
    },
    "event_type": "dns",
}

The dns.opcode keyword should be a good starter for the rcode as both are present in the header as integers. Even though we long to string representation of the rcode, the keyword should probably first start by accepting the integer value, then maybe we could add string representations after.

Related issues 1 (0 open1 closed)

Blocked by Suricata - Bug #6281: dns: structure of query differs between "alert" and "dns" event typesClosedJason IshActions
Actions
Copy link
 #2

Updated by Hadiqa Alamdar Bukhari over 1 year ago

Can this keyword be negated?

Actions
Copy link
 #3

Updated by Juliana Fajardini Reichow over 1 year ago

Hadiqa Alamdar Bukhari wrote in #note-2:

Can this keyword be negated?

Answered here: https://github.com/OISF/suricata/pull/10087#discussion_r1435191583

Actions
Copy link
 #6

Updated by Jason Taylor about 1 year ago

Thanks for working on this Hadiqa! We (ET team) were wondering if it would be possible to add comparison functionality (e.g. <, >, <>) similar to urilen?

One thing that came up also was if it would be possible to allow an array of values [0, 11, 23], for example?

Actions
Copy link
 #8

Updated by Philippe Antoine about 1 year ago

@Jason Taylor array of values are not supported for integers yet... :-/

Actions
Copy link
 #9

Updated by Jason Taylor about 1 year ago

Philippe Antoine wrote in #note-8:

@Jason Taylor array of values are not supported for integers yet... :-/

Ah okay. Would the comparison options be possible?

Actions
Copy link
 #11

Updated by Juliana Fajardini Reichow about 1 year ago

Jason Taylor wrote in #note-9:

Philippe Antoine wrote in #note-8:

@Jason Taylor array of values are not supported for integers yet... :-/

Ah okay. Would the comparison options be possible?

The comparison options, yes :)

Actions
Copy link
 #12

Updated by Juliana Fajardini Reichow about 1 year ago

  • Status changed from In Review to Resolved
Actions
Copy link

Also available in: Atom PDF