Project

General

Profile

Actions
Copy link

Feature #6621

open

Task #6597: rules keyword/output parity: improve

Feature #5642: DNS: parity between log fields and detection

dns: add keyword for dns rcode: dns.rcode

Added by Jason Ish 5 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Hadiqa Alamdar Bukhari
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

DNS records log the rcode, but it is not available for detection. For example:

{
    "@timestamp": "2023-12-11T17:31:16.621Z",
    "community_id": "1:wQg9tR3nlxBAH4VrGg6YGsAa6AA=",
    "dest_ip": "10.16.1.1",
    "dest_port": 53,
    "dns": {
        "answers": [
            {
                "rdata": "l-0007.l-msedge.net",
                "rrname": "config-edge-skype.l-0007.l-msedge.net",
                "rrtype": "CNAME",
                "ttl": 152
            }
        ],
        "flags": "8180",
        "id": 49242,
        "opcode": 0,
        "qr": true,
        "ra": true,
        "rcode": "NOERROR",
        "rd": true,
        "rrname": "config.edge.skype.com",
        "rrtype": "HTTPS",
        "type": "answer",
        "version": 2
    },
    "event_type": "dns",
}

The dns.opcode keyword should be a good starter for the rcode as both are present in the header as integers. Even though we long to string representation of the rcode, the keyword should probably first start by accepting the integer value, then maybe we could add string representations after.

Related issues 1 (1 open0 closed)

Blocked by Suricata - Bug #6281: dns: structure of query differs between "alert" and "dns" event typesIn ProgressJason IshActions
Actions
Copy link

Also available in: Atom PDF