]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
eve/dns: add truncation flags for fields that are truncated
authorJason Ish <jason.ish@oisf.net>
Thu, 31 Oct 2024 21:46:35 +0000 (15:46 -0600)
committerVictor Julien <vjulien@oisf.net>
Wed, 11 Dec 2024 05:49:35 +0000 (06:49 +0100)
If rrname, rdata or mname are truncated, set a flag field like
'rrname_truncated: true' to indicate that the name is truncated.

Ticket: #7280

etc/schema.json
rust/src/dns/log.rs

index b335dc5c210428471c03118b5f5fe6d1ea9b590d..18710cda4592380d006b729ee0c93e02dcefe559 100644 (file)
                             "opcode": {
                                 "description": "DNS opcode as an integer",
                                 "type": "integer"
+                            },
+                            "rrname_truncated": {
+                                "description": "Set to true if the rrname was too long and truncated by Suricata",
+                                "type": "boolean"
                             }
                         },
                         "additionalProperties": false
                 },
                 "serial": {
                     "type": "integer"
+                },
+                "mname_truncated": {
+                    "description": "Set to true if the mname was too long and truncated by Suricata",
+                    "type": "boolean"
                 }
             },
             "additionalProperties": false
                     },
                     "soa": {
                         "$ref": "#/$defs/dns.soa"
+                    },
+                    "rdata_truncated": {
+                        "description": "Set to true if the rdata was too long and truncated by Suricata",
+                        "type": "boolean"
+                    },
+                    "rrname_truncated": {
+                        "description": "Set to true if the rrname was too long and truncated by Suricata",
+                        "type": "boolean"
                     }
                 },
                 "additionalProperties": false
index c22c1082c5650902e7b84ec5ee707a615b6ca263..6e131e3d5e715515c4b63145d0ff898524698699 100644 (file)
@@ -415,7 +415,13 @@ fn dns_log_soa(soa: &DNSRDataSOA) -> Result<JsonBuilder, JsonError> {
     let mut js = JsonBuilder::try_new_object()?;
 
     js.set_string_from_bytes("mname", &soa.mname.value)?;
+    if soa.mname.flags.contains(DNSNameFlags::TRUNCATED) {
+        js.set_bool("mname_truncated", true)?;
+    }
     js.set_string_from_bytes("rname", &soa.rname.value)?;
+    if soa.rname.flags.contains(DNSNameFlags::TRUNCATED) {
+        js.set_bool("rname_truncated", true)?;
+    }
     js.set_uint("serial", soa.serial as u64)?;
     js.set_uint("refresh", soa.refresh as u64)?;
     js.set_uint("retry", soa.retry as u64)?;
@@ -460,6 +466,9 @@ fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result<JsonBuilder, Js
     let mut jsa = JsonBuilder::try_new_object()?;
 
     jsa.set_string_from_bytes("rrname", &answer.name.value)?;
+    if answer.name.flags.contains(DNSNameFlags::TRUNCATED) {
+        jsa.set_bool("rrname_truncated", true)?;
+    }
     jsa.set_string("rrtype", &dns_rrtype_string(answer.rrtype))?;
     jsa.set_uint("ttl", answer.ttl as u64)?;
 
@@ -469,6 +478,9 @@ fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result<JsonBuilder, Js
         }
         DNSRData::CNAME(name) | DNSRData::MX(name) | DNSRData::NS(name) | DNSRData::PTR(name) => {
             jsa.set_string_from_bytes("rdata", &name.value)?;
+            if name.flags.contains(DNSNameFlags::TRUNCATED) {
+                jsa.set_bool("rdata_truncated", true)?;
+            }
         }
         DNSRData::TXT(bytes) | DNSRData::NULL(bytes) => {
             jsa.set_string_from_bytes("rdata", bytes)?;
@@ -528,6 +540,9 @@ fn dns_log_json_answer(
 
     if let Some(query) = response.queries.first() {
         js.set_string_from_bytes("rrname", &query.name.value)?;
+        if query.name.flags.contains(DNSNameFlags::TRUNCATED) {
+            js.set_bool("rrname_truncated", true)?;
+        }
         js.set_string("rrtype", &dns_rrtype_string(query.rrtype))?;
     }
     js.set_string("rcode", &dns_rcode_string(header.flags))?;
@@ -555,6 +570,7 @@ fn dns_log_json_answer(
                     | DNSRData::MX(name)
                     | DNSRData::NS(name)
                     | DNSRData::PTR(name) => {
+                        // Flags like truncated not logged here as it would break the schema.
                         if !answer_types.contains_key(&type_string) {
                             answer_types
                                 .insert(type_string.to_string(), JsonBuilder::try_new_array()?);
@@ -765,6 +781,9 @@ fn dns_log_query(
                 jb.set_string("type", "query")?;
                 jb.set_uint("id", request.header.tx_id as u64)?;
                 jb.set_string_from_bytes("rrname", &query.name.value)?;
+                if query.name.flags.contains(DNSNameFlags::TRUNCATED) {
+                    jb.set_bool("rrname_truncated", true)?;
+                }
                 jb.set_string("rrtype", &dns_rrtype_string(query.rrtype))?;
                 jb.set_uint("tx_id", tx.id - 1)?;
                 if request.header.flags & 0x0040 != 0 {
@@ -854,6 +873,9 @@ fn log_json(tx: &mut DNSTransaction, flags: u64, jb: &mut JsonBuilder) -> Result
                 jb.start_object()?
                     .set_string_from_bytes("rrname", &query.name.value)?
                     .set_string("rrtype", &dns_rrtype_string(query.rrtype))?;
+                if query.name.flags.contains(DNSNameFlags::TRUNCATED) {
+                    jb.set_bool("rrname_truncated", true)?;
+                }
                 jb.close()?;
             }
         }