"opcode": {
"description": "DNS opcode as an integer",
"type": "integer"
+ },
+ "rrname_truncated": {
+ "description": "Set to true if the rrname was too long and truncated by Suricata",
+ "type": "boolean"
}
},
"additionalProperties": false
},
"serial": {
"type": "integer"
+ },
+ "mname_truncated": {
+ "description": "Set to true if the mname was too long and truncated by Suricata",
+ "type": "boolean"
}
},
"additionalProperties": false
},
"soa": {
"$ref": "#/$defs/dns.soa"
+ },
+ "rdata_truncated": {
+ "description": "Set to true if the rdata was too long and truncated by Suricata",
+ "type": "boolean"
+ },
+ "rrname_truncated": {
+ "description": "Set to true if the rrname was too long and truncated by Suricata",
+ "type": "boolean"
}
},
"additionalProperties": false
let mut js = JsonBuilder::try_new_object()?;
js.set_string_from_bytes("mname", &soa.mname.value)?;
+ if soa.mname.flags.contains(DNSNameFlags::TRUNCATED) {
+ js.set_bool("mname_truncated", true)?;
+ }
js.set_string_from_bytes("rname", &soa.rname.value)?;
+ if soa.rname.flags.contains(DNSNameFlags::TRUNCATED) {
+ js.set_bool("rname_truncated", true)?;
+ }
js.set_uint("serial", soa.serial as u64)?;
js.set_uint("refresh", soa.refresh as u64)?;
js.set_uint("retry", soa.retry as u64)?;
let mut jsa = JsonBuilder::try_new_object()?;
jsa.set_string_from_bytes("rrname", &answer.name.value)?;
+ if answer.name.flags.contains(DNSNameFlags::TRUNCATED) {
+ jsa.set_bool("rrname_truncated", true)?;
+ }
jsa.set_string("rrtype", &dns_rrtype_string(answer.rrtype))?;
jsa.set_uint("ttl", answer.ttl as u64)?;
}
DNSRData::CNAME(name) | DNSRData::MX(name) | DNSRData::NS(name) | DNSRData::PTR(name) => {
jsa.set_string_from_bytes("rdata", &name.value)?;
+ if name.flags.contains(DNSNameFlags::TRUNCATED) {
+ jsa.set_bool("rdata_truncated", true)?;
+ }
}
DNSRData::TXT(bytes) | DNSRData::NULL(bytes) => {
jsa.set_string_from_bytes("rdata", bytes)?;
if let Some(query) = response.queries.first() {
js.set_string_from_bytes("rrname", &query.name.value)?;
+ if query.name.flags.contains(DNSNameFlags::TRUNCATED) {
+ js.set_bool("rrname_truncated", true)?;
+ }
js.set_string("rrtype", &dns_rrtype_string(query.rrtype))?;
}
js.set_string("rcode", &dns_rcode_string(header.flags))?;
| DNSRData::MX(name)
| DNSRData::NS(name)
| DNSRData::PTR(name) => {
+ // Flags like truncated not logged here as it would break the schema.
if !answer_types.contains_key(&type_string) {
answer_types
.insert(type_string.to_string(), JsonBuilder::try_new_array()?);
jb.set_string("type", "query")?;
jb.set_uint("id", request.header.tx_id as u64)?;
jb.set_string_from_bytes("rrname", &query.name.value)?;
+ if query.name.flags.contains(DNSNameFlags::TRUNCATED) {
+ jb.set_bool("rrname_truncated", true)?;
+ }
jb.set_string("rrtype", &dns_rrtype_string(query.rrtype))?;
jb.set_uint("tx_id", tx.id - 1)?;
if request.header.flags & 0x0040 != 0 {
jb.start_object()?
.set_string_from_bytes("rrname", &query.name.value)?
.set_string("rrtype", &dns_rrtype_string(query.rrtype))?;
+ if query.name.flags.contains(DNSNameFlags::TRUNCATED) {
+ jb.set_bool("rrname_truncated", true)?;
+ }
jb.close()?;
}
}