DNS EVE Logging Changes for 8.0
Suricata 8.0 modifies the DNS logging in dns
and alert
records
to a version 3
logging format. These changes address a lack of
fidelity in alerts for DNS responses, as well as unify the format of
the dns
object accross dns
and alert
objects.
Ticket: https://redmine.openinfosecfoundation.org/issues/6281
The changes are summarized below:
DNS requests now have a type of
request
instead ofquery
.DNS responses now have a type of
response
instead ofanswer
.DNS requests will now log the queries in an array instead of logging multiple request events in the case where the request contained multiple queries. This was already done for DNS requests logged as part of an
alert
.7.0
8.0
{ "event_type": "dns", "dns": { "type": "query", "id": 0, "rrname": "www.suricata.io", "rrtype": "A", "tx_id": 0, "opcode": 0 } }
{ "event_type": "dns", "dns": { "version": 3, "type": "request", "tx_id": 0, "id": 0, "flags": "100", "rd": true, "opcode": 0, "rcode": "NOERROR", "queries": [ { "rrname": "www.suricata.io", "rrtype": "A" } ] } }
DNS responses now log the queries in a
queries
array instead of logging the firstrrname
andrrtype
directly in thedns
object.7.0
8.0
{ "event_type": "dns", "dns": { "version": 2, "type": "answer", "id": 0, "flags": "8180", "qr": true, "rd": true, "ra": true, "opcode": 0, "rrname": "www.suricata.io", "rrtype": "A", "rcode": "NOERROR", "answers": [ { "rrname": "www.suricata.io", "rrtype": "CNAME", "ttl": 3597, "rdata": "suricata.io" }, { "rrname": "suricata.io", "rrtype": "A", "ttl": 597, "rdata": "35.212.0.44" } ] } }
{ "event_type": "dns", "dns": { "version": 3, "type": "response", "tx_id": 1, "id": 0, "flags": "8180", "qr": true, "rd": true, "ra": true, "opcode": 0, "rcode": "NOERROR", "queries": [ { "rrname": "www.suricata.io", "rrtype": "A" } ], "answers": [ { "rrname": "www.suricata.io", "rrtype": "CNAME", "ttl": 3597, "rdata": "suricata.io" }, { "rrname": "suricata.io", "rrtype": "A", "ttl": 597, "rdata": "35.212.0.44" } ], } }
DNS requests logged in an alert object will now log the
answers
as an array. See above 8.0 example for the format. Thedns
object is now consistent across DNS requests and responses, as well as inalerts
.Example of alert on DNS request
7.0
8.0
{ "event_type": "alert", "dns": { "query": [ { "type": "query", "id": 0, "rrname": "www.suricata.io", "rrtype": "A", "tx_id": 0, "opcode": 0 } ] } }
{ "event_type": "alert", "dns": { "version": 3, "type": "request", "tx_id": 0, "id": 0, "flags": "100", "rd": true, "opcode": 0, "rcode": "NOERROR", "queries": [ { "rrname": "www.suricata.io", "rrtype": "A" } ] }, }
Example of alert on DNS response
7.0
8.0
{ "event_type": "alert", "dns": { "answer": { "version": 2, "type": "answer", "id": 0, "flags": "8180", "qr": true, "rd": true, "ra": true, "opcode": 0, "rrname": "www.suricata.io", "rrtype": "A", "rcode": "NOERROR" } } }
{ "event_type": "alert", "dns": { "version": 3, "type": "response", "tx_id": 1, "id": 0, "flags": "8180", "qr": true, "rd": true, "ra": true, "opcode": 0, "rcode": "NOERROR", "queries": [ { "rrname": "www.suricata.io", "rrtype": "A" ], "answers": [ { "rrname": "www.suricata.io", "rrtype": "CNAME", "ttl": 3597, "rdata": "suricata.io" }, { "rrname": "suricata.io", "rrtype": "A", "ttl": 597, "rdata": "35.212.0.44" } ] }, }