aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

eve/dns: add truncation flags for fields that are truncated

Browse Source 
If rrname, rdata or mname are truncated, set a flag field like
'rrname_truncated: true' to indicate that the name is truncated.

Ticket: #7280

(cherry picked from commit 37f4c52b22)
pull/12283/head
Jason Ish 12 months ago committed by Victor Julien
parent 58c41a7fa9
commit 5edb84fe23
2 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File

7
etc/schema.json
Unescape Escape View File

@ -996,6 +996,9 @@
"rrname": {
"type": "string"
},
"rrname_truncated": {
"type": "boolean"
},
"rrtype": {
"type": "string"
},
@ -1129,6 +1132,10 @@
"opcode": {
"description": "DNS opcode as an integer",
"type": "integer"
},
"rrname_truncated": {
"description": "Set to true if the rrname was too long and truncated by Suricata",
"type": "boolean"
}
},
"additionalProperties": false

19
rust/src/dns/log.rs
Unescape Escape View File

@ -399,7 +399,13 @@ fn dns_log_soa(soa: &DNSRDataSOA) -> Result<JsonBuilder, JsonError> {
let mut js = JsonBuilder::try_new_object()?;
js.set_string_from_bytes("mname", &soa.mname.value)?;
if soa.mname.flags.contains(DNSNameFlags::TRUNCATED) {
js.set_bool("mname_truncated", true)?;
}
js.set_string_from_bytes("rname", &soa.rname.value)?;
if soa.rname.flags.contains(DNSNameFlags::TRUNCATED) {
js.set_bool("rname_truncated", true)?;
}
js.set_uint("serial", soa.serial as u64)?;
js.set_uint("refresh", soa.refresh as u64)?;
js.set_uint("retry", soa.retry as u64)?;
@ -444,6 +450,9 @@ fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result<JsonBuilder, Js
let mut jsa = JsonBuilder::try_new_object()?;
jsa.set_string_from_bytes("rrname", &answer.name.value)?;
if answer.name.flags.contains(DNSNameFlags::TRUNCATED) {
jsa.set_bool("rrname_truncated", true)?;
}
jsa.set_string("rrtype", &dns_rrtype_string(answer.rrtype))?;
jsa.set_uint("ttl", answer.ttl as u64)?;
@ -453,6 +462,9 @@ fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result<JsonBuilder, Js
}
DNSRData::CNAME(name) | DNSRData::MX(name) | DNSRData::NS(name) | DNSRData::PTR(name) => {
jsa.set_string_from_bytes("rdata", &name.value)?;
if name.flags.contains(DNSNameFlags::TRUNCATED) {
jsa.set_bool("rdata_truncated", true)?;
}
}
DNSRData::TXT(bytes) | DNSRData::NULL(bytes) => {
jsa.set_string_from_bytes("rdata", bytes)?;
@ -506,6 +518,9 @@ fn dns_log_json_answer(
if let Some(query) = response.queries.first() {
js.set_string_from_bytes("rrname", &query.name.value)?;
if query.name.flags.contains(DNSNameFlags::TRUNCATED) {
js.set_bool("rrname_truncated", true)?;
}
js.set_string("rrtype", &dns_rrtype_string(query.rrtype))?;
}
js.set_string("rcode", &dns_rcode_string(header.flags))?;
@ -532,6 +547,7 @@ fn dns_log_json_answer(
| DNSRData::MX(name)
| DNSRData::NS(name)
| DNSRData::PTR(name) => {
// Flags like truncated not logged here as it would break the schema.
if !answer_types.contains_key(&type_string) {
answer_types
.insert(type_string.to_string(), JsonBuilder::try_new_array()?);
@ -620,6 +636,9 @@ fn dns_log_query(
jb.set_string("type", "query")?;
jb.set_uint("id", request.header.tx_id as u64)?;
jb.set_string_from_bytes("rrname", &query.name.value)?;
if query.name.flags.contains(DNSNameFlags::TRUNCATED) {
jb.set_bool("rrname_truncated", true)?;
}
jb.set_string("rrtype", &dns_rrtype_string(query.rrtype))?;
jb.set_uint("tx_id", tx.id - 1)?;
if request.header.flags & 0x0040 != 0 {

Write Preview
Loading…
Cancel
Save