git.ipfire.org Git - thirdparty/suricata.git/commit

author	Giuseppe Longo <glongo@stamus-networks.com>
	Wed, 2 Aug 2017 13:55:01 +0000 (15:55 +0200)
committer	Victor Julien <victor@inliniac.net>
	Wed, 14 Mar 2018 21:29:39 +0000 (22:29 +0100)
commit	756bed06a8f9d879fdd2b138a168223f3096698d
tree	db50f944a290440404b7a11244b9ca7c74e02e66	tree
parent	869b7c0e0cb3b62bb3a88f89ef90979e1d17e0bd	commit \| diff

output-json-dns: add new output formats for v2

This adds two new output formats that permits to reduce
the number of line logged for a dns answer because
actually an event is logged for each answer.
With this patch, only an event that contains all the answers
is logged.

The formats are named 'detailed' and 'grouped'.

The first format provides a list of answers with
the following fields:
- rrname
- rrdata
- ttl
- rdata

The second format provides a list of record data grouped
by their type.

The output below is an example of the formats:

{
  "timestamp": "2017-11-29T10:27:18.148282+0100",
  "flow_id": 268864910185905,
  "in_iface": "wlp2s0",
  "event_type": "dns",
  "src_ip": "192.168.1.254",
  "src_port": 53,
  "dest_ip": "192.168.1.176",
  "dest_port": 52609,
  "proto": "UDP",
  "dns": {
    "type": "answer",
    "id": 3654,
    "rcode": "NOERROR",
    "answers": [
      {
        "rrname": "wordpress.org",
        "rrtype": "A",
        "ttl": 544,
        "rdata": "66.155.40.249"
      },
      {
        "rrname": "wordpress.org",
        "rrtype": "A",
        "ttl": 544,
        "rdata": "66.155.40.250"
      }
    ],
    "grouped": {
      "A": [
        "66.155.40.249",
        "66.155.40.250"
      ]
    }
  }
}