Project

General

Profile

Actions
Copy link

Feature #6621

closed

Task #4772: tracking: parity between fields logged and fields available for detection

Feature #5642: DNS: parity between log fields and detection

dns: add keyword for dns rcode: dns.rcode

Added by Jason Ish almost 2 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Hadiqa Alamdar Bukhari
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

DNS records log the rcode, but it is not available for detection. For example:

{
    "@timestamp": "2023-12-11T17:31:16.621Z",
    "community_id": "1:wQg9tR3nlxBAH4VrGg6YGsAa6AA=",
    "dest_ip": "10.16.1.1",
    "dest_port": 53,
    "dns": {
        "answers": [
            {
                "rdata": "l-0007.l-msedge.net",
                "rrname": "config-edge-skype.l-0007.l-msedge.net",
                "rrtype": "CNAME",
                "ttl": 152
            }
        ],
        "flags": "8180",
        "id": 49242,
        "opcode": 0,
        "qr": true,
        "ra": true,
        "rcode": "NOERROR",
        "rd": true,
        "rrname": "config.edge.skype.com",
        "rrtype": "HTTPS",
        "type": "answer",
        "version": 2
    },
    "event_type": "dns",
}

The dns.opcode keyword should be a good starter for the rcode as both are present in the header as integers. Even though we long to string representation of the rcode, the keyword should probably first start by accepting the integer value, then maybe we could add string representations after.

Related issues 1 (0 open1 closed)

Blocked by Suricata - Bug #6281: dns: structure of query differs between "alert" and "dns" event typesClosedJason IshActions
Actions
Copy link

Also available in: Atom PDF