eve/dns: add truncation flags for fields that are truncated

If rrname, rdata or mname are truncated, set a flag field like
'rrname_truncated: true' to indicate that the name is truncated.

Ticket: #7280

(cherry picked from commit 37f4c52b22fcdde4adf9b479cb5700f89d00768d)

diff --git a/etc/schema.json b/etc/schema.json
index 488cf3d511e7ab171341773c47e6fb5286170a6d..ae529a649e821ee651bc051dd2dc9d52aa677740 100644 (file)
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -996,6 +996,9 @@
                 "rrname": {
                     "type": "string"
                 },
+               "rrname_truncated": {
+                   "type": "boolean"
+               },
                 "rrtype": {
                     "type": "string"
                 },
@@ -1129,6 +1132,10 @@
                             "opcode": {
                                 "description": "DNS opcode as an integer",
                                 "type": "integer"
+                            },
+                            "rrname_truncated": {
+                                "description": "Set to true if the rrname was too long and truncated by Suricata",
+                                "type": "boolean"
                             }
                         },
                         "additionalProperties": false

diff --git a/rust/src/dns/log.rs b/rust/src/dns/log.rs
index f220158ed46138048ccbd6a817806cc80535476d..c92c07346c6b620b4b1ff191dc690e80ef1bdf1a 100644 (file)
--- a/rust/src/dns/log.rs
+++ b/rust/src/dns/log.rs
@@ -399,7 +399,13 @@ fn dns_log_soa(soa: &DNSRDataSOA) -> Result<JsonBuilder, JsonError> {
     let mut js = JsonBuilder::try_new_object()?;
 
     js.set_string_from_bytes("mname", &soa.mname.value)?;
+    if soa.mname.flags.contains(DNSNameFlags::TRUNCATED) {
+        js.set_bool("mname_truncated", true)?;
+    }
     js.set_string_from_bytes("rname", &soa.rname.value)?;
+    if soa.rname.flags.contains(DNSNameFlags::TRUNCATED) {
+        js.set_bool("rname_truncated", true)?;
+    }
     js.set_uint("serial", soa.serial as u64)?;
     js.set_uint("refresh", soa.refresh as u64)?;
     js.set_uint("retry", soa.retry as u64)?;
@@ -444,6 +450,9 @@ fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result<JsonBuilder, Js
     let mut jsa = JsonBuilder::try_new_object()?;
 
     jsa.set_string_from_bytes("rrname", &answer.name.value)?;
+    if answer.name.flags.contains(DNSNameFlags::TRUNCATED) {
+        jsa.set_bool("rrname_truncated", true)?;
+    }
     jsa.set_string("rrtype", &dns_rrtype_string(answer.rrtype))?;
     jsa.set_uint("ttl", answer.ttl as u64)?;
 
@@ -453,6 +462,9 @@ fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result<JsonBuilder, Js
         }
         DNSRData::CNAME(name) | DNSRData::MX(name) | DNSRData::NS(name) | DNSRData::PTR(name) => {
             jsa.set_string_from_bytes("rdata", &name.value)?;
+            if name.flags.contains(DNSNameFlags::TRUNCATED) {
+                jsa.set_bool("rdata_truncated", true)?;
+            }
         }
         DNSRData::TXT(bytes) | DNSRData::NULL(bytes) => {
             jsa.set_string_from_bytes("rdata", bytes)?;
@@ -506,6 +518,9 @@ fn dns_log_json_answer(
 
     if let Some(query) = response.queries.first() {
         js.set_string_from_bytes("rrname", &query.name.value)?;
+        if query.name.flags.contains(DNSNameFlags::TRUNCATED) {
+            js.set_bool("rrname_truncated", true)?;
+        }
         js.set_string("rrtype", &dns_rrtype_string(query.rrtype))?;
     }
     js.set_string("rcode", &dns_rcode_string(header.flags))?;
@@ -532,6 +547,7 @@ fn dns_log_json_answer(
                     | DNSRData::MX(name)
                     | DNSRData::NS(name)
                     | DNSRData::PTR(name) => {
+                        // Flags like truncated not logged here as it would break the schema.
                         if !answer_types.contains_key(&type_string) {
                             answer_types
                                 .insert(type_string.to_string(), JsonBuilder::try_new_array()?);
@@ -620,6 +636,9 @@ fn dns_log_query(
                 jb.set_string("type", "query")?;
                 jb.set_uint("id", request.header.tx_id as u64)?;
                 jb.set_string_from_bytes("rrname", &query.name.value)?;
+                if query.name.flags.contains(DNSNameFlags::TRUNCATED) {
+                    jb.set_bool("rrname_truncated", true)?;
+                }
                 jb.set_string("rrtype", &dns_rrtype_string(query.rrtype))?;
                 jb.set_uint("tx_id", tx.id - 1)?;
                 if request.header.flags & 0x0040 != 0 {