Project

General

Profile

Bug #2012

Updated by Victor Julien about 7 years ago

With a minimal suricata.yaml file: 

 <pre> @ 
 %YAML 1.1 
 --- 
 default-log-dir: . 
 outputs: 
   - eve-log: 
       enabled: yes 
       type: file 
       filename: dns.json 
       types: 
         - dns 
   - dns-log: 
       enabled: yes 
       filename: dns.log 
 </pre> @ 

 the attached pcap will generate dns.json containing 
 <pre> 
 

 {"timestamp":"2017-01-30T14:05:11.592025-0500","flow_id":1141428602734745,"pcap_cnt":9,"event_type":"dns","src_ip":"10.0.0.7","src_port":43212,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41884,"rrname":"www.google.com","rrtype":"A","tx_id":0}} 
 {"timestamp":"2017-01-30T14:04:17.295571-0500","flow_id":878117039211155,"pcap_cnt":1,"event_type":"dns","src_ip":"10.0.0.7","src_port":54399,"dest_ip":"8.8.8.7","dest_port":53,"proto":"UDP","dns":{"type":"query","id":766,"rrname":"www.google.com","rrtype":"A","tx_id":0}} 
 {"timestamp":"2017-01-30T14:04:34.511740-0500","flow_id":667466074345212,"pcap_cnt":4,"event_type":"dns","src_ip":"10.0.0.7","src_port":53500,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36059,"rrname":"www.google.com","rrtype":"A","tx_id":0}} 
 {"timestamp":"2017-01-30T14:05:11.607615-0500","flow_id":1141428602734745,"pcap_cnt":10,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.0.0.7","dest_port":43212,"proto":"UDP","dns":{"type":"answer","id":41884,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":202,"rdata":"172.217.1.196"}} 
 {"timestamp":"2017-01-30T14:04:34.525369-0500","flow_id":667466074345212,"pcap_cnt":5,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"10.0.0.7","dest_port":53500,"proto":"UDP","dns":{"type":"answer","id":36059,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":87,"rdata":"172.217.1.196"}} 
 {"timestamp":"2017-01-30T14:04:36.042150-0500","flow_id":2008599677412518,"pcap_cnt":6,"event_type":"dns","src_ip":"10.0.0.7","src_port":41743,"dest_ip":"8.8.8.7","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20578,"rrname":"www.google.com","rrtype":"A","tx_id":0}} 
 </pre> 

 and dns.log containing: 

 <pre> @ 
 01/30/2017-14:05:11.607615 [**] Query TX a39c [**] www.google.com [**] A [**] 10.0.0.7:43212 -> 8.8.8.8:53 
 01/30/2017-14:04:34.525369 [**] Query TX 8cdb [**] www.google.com [**] A [**] 10.0.0.7:53500 -> 8.8.8.8:53 
 01/30/2017-14:04:34.525369 [**] Response TX 8cdb [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:53500 
 01/30/2017-14:05:11.607615 [**] Response TX a39c [**] Recursion Desired [**] 8.8.8.8:53 -> 10.0.0.7:43212 
 01/30/2017-14:04:34.525369 [**] Response TX 8cdb [**] www.google.com [**] A [**] TTL 87 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:53500 
 01/30/2017-14:05:11.607615 [**] Response TX a39c [**] www.google.com [**] A [**] TTL 202 [**] 172.217.1.196 [**] 8.8.8.8:53 -> 10.0.0.7:43212 
 </pre> @ 

 Note that the queries to IP 8.8.8.7 do not appear in dns.log but do appear in dns.json. Ideally dns.log would also include those queries.

Back