]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 25e32f4)
dns: log addresses in order of packet
authorJason Ish <jason.ish@oisf.net>
Thu, 5 Jun 2025 15:20:08 +0000 (09:20 -0600)
committerVictor Julien <victor@inliniac.net>
Tue, 10 Jun 2025 06:36:30 +0000 (08:36 +0200)
DNS logs have always been logged in flow direction, this can be
confusing as DNS responses have a src_ip of the client, but it makes
more sense to have the src_ip for the server, as that is the src_ip of
the response packet.

As this is a breaking change, limit it DNS v3 logging which was
introduced, and is the default for Suricata 8.0.

Ticket: #6400

src/output-json-dns.c patch | blob | blame | history

diff --git a/src/output-json-dns.c b/src/output-json-dns.c
index 2fe5b8eee699e81a4fe8af2d54ce43bf92f46e4d..1da90a51c72871cdbea0cfda69ff522bf25be961 100644 (file)
--- a/src/output-json-dns.c
+++ b/src/output-json-dns.c
@@ -33,6 +33,7 @@
 #include "util-mem.h"
 #include "app-layer-parser.h"
 #include "output.h"
+#include "decode.h"
 
 #include "output-json.h"
 #include "output-json-dns.h"
@@ -286,6 +287,8 @@ static int JsonDoh2Logger(ThreadVars *tv, void *thread_data, const Packet *p, Fl
     LogDnsLogThread *td = (LogDnsLogThread *)thread_data;
     LogDnsFileCtx *dnslog_ctx = td->dnslog_ctx;
 
+    /* DOH2 is always logged in flow direction, as its driven by the scope of an
+     * HTTP transation */
     SCJsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
 
     if (unlikely(jb == NULL)) {
@@ -426,7 +429,20 @@ static int JsonDnsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flo
             return TM_ECODE_OK;
         }
 
-        SCJsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
+        /* If UDP we can rely on the packet direction. */
+        enum SCOutputJsonLogDirection dir = LOG_DIR_PACKET;
+
+        /* If not UDP we have to query the transaction for direction, which
+         * could be wrong - this is a bit of a hack. */
+        if (PacketIsTCP(p)) {
+            if (SCDnsTxIsRequest(txptr)) {
+                dir = LOG_DIR_FLOW_TOSERVER;
+            } else {
+                dir = LOG_DIR_FLOW_TOCLIENT;
+            }
+        }
+
+        SCJsonBuilder *jb = CreateEveHeader(p, dir, "dns", NULL, dnslog_ctx->eve_ctx);
         if (unlikely(jb == NULL)) {
             return TM_ECODE_OK;
         }
Mirror of https://github.com/OISF/suricata.git