DNS EVE Logging Changes for 8.0
Suricata 8.0 modifies the DNS logging in dns and alert records
to a version 3 logging format. These changes address a lack of
fidelity in alerts for DNS responses, as well as unify the format of
the dns object accross dns and alert objects.
Ticket: https://redmine.openinfosecfoundation.org/issues/6281
Additionally, version 3 DNS response messages will now use the IP
address of the responder as the src_ip, not the client, ticket:
https://redmine.openinfosecfoundation.org/issues/6400
The changes are summarized below:
DNS requests now have a type of
requestinstead ofquery.DNS responses now have a type of
responseinstead ofanswer.DNS requests will now log the queries in an array instead of logging multiple request events in the case where the request contained multiple queries. This was already done for DNS requests logged as part of an
alert.7.0
8.0
{ "event_type": "dns", "dns": { "type": "query", "id": 0, "rrname": "www.suricata.io", "rrtype": "A", "tx_id": 0, "opcode": 0 } }
{ "event_type": "dns", "dns": { "version": 3, "type": "request", "tx_id": 0, "id": 0, "flags": "100", "rd": true, "opcode": 0, "rcode": "NOERROR", "queries": [ { "rrname": "www.suricata.io", "rrtype": "A" } ] } }
DNS responses now log the queries in a
queriesarray instead of logging the firstrrnameandrrtypedirectly in thednsobject.7.0
8.0
{ "event_type": "dns", "dns": { "version": 2, "type": "answer", "id": 0, "flags": "8180", "qr": true, "rd": true, "ra": true, "opcode": 0, "rrname": "www.suricata.io", "rrtype": "A", "rcode": "NOERROR", "answers": [ { "rrname": "www.suricata.io", "rrtype": "CNAME", "ttl": 3597, "rdata": "suricata.io" }, { "rrname": "suricata.io", "rrtype": "A", "ttl": 597, "rdata": "35.212.0.44" } ] } }
{ "event_type": "dns", "dns": { "version": 3, "type": "response", "tx_id": 1, "id": 0, "flags": "8180", "qr": true, "rd": true, "ra": true, "opcode": 0, "rcode": "NOERROR", "queries": [ { "rrname": "www.suricata.io", "rrtype": "A" } ], "answers": [ { "rrname": "www.suricata.io", "rrtype": "CNAME", "ttl": 3597, "rdata": "suricata.io" }, { "rrname": "suricata.io", "rrtype": "A", "ttl": 597, "rdata": "35.212.0.44" } ], } }
DNS requests logged in an alert object will now log the
answersas an array. See above 8.0 example for the format. Thednsobject is now consistent across DNS requests and responses, as well as inalerts.Example of alert on DNS request
7.0
8.0
{ "event_type": "alert", "dns": { "query": [ { "type": "query", "id": 0, "rrname": "www.suricata.io", "rrtype": "A", "tx_id": 0, "opcode": 0 } ] } }
{ "event_type": "alert", "dns": { "version": 3, "type": "request", "tx_id": 0, "id": 0, "flags": "100", "rd": true, "opcode": 0, "rcode": "NOERROR", "queries": [ { "rrname": "www.suricata.io", "rrtype": "A" } ] }, }
Example of alert on DNS response
7.0
8.0
{ "event_type": "alert", "dns": { "answer": { "version": 2, "type": "answer", "id": 0, "flags": "8180", "qr": true, "rd": true, "ra": true, "opcode": 0, "rrname": "www.suricata.io", "rrtype": "A", "rcode": "NOERROR" } } }
{ "event_type": "alert", "dns": { "version": 3, "type": "response", "tx_id": 1, "id": 0, "flags": "8180", "qr": true, "rd": true, "ra": true, "opcode": 0, "rcode": "NOERROR", "queries": [ { "rrname": "www.suricata.io", "rrtype": "A" ], "answers": [ { "rrname": "www.suricata.io", "rrtype": "CNAME", "ttl": 3597, "rdata": "suricata.io" }, { "rrname": "suricata.io", "rrtype": "A", "ttl": 597, "rdata": "35.212.0.44" } ] }, }