From: Jason Ish Date: Thu, 31 Oct 2024 21:46:35 +0000 (-0600) Subject: eve/dns: add truncation flags for fields that are truncated X-Git-Tag: suricata-8.0.0-beta1~646 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37f4c52b22fcdde4adf9b479cb5700f89d00768d;p=thirdparty%2Fsuricata.git eve/dns: add truncation flags for fields that are truncated If rrname, rdata or mname are truncated, set a flag field like 'rrname_truncated: true' to indicate that the name is truncated. Ticket: #7280 --- diff --git a/etc/schema.json b/etc/schema.json index b335dc5c21..18710cda45 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -1189,6 +1189,10 @@ "opcode": { "description": "DNS opcode as an integer", "type": "integer" + }, + "rrname_truncated": { + "description": "Set to true if the rrname was too long and truncated by Suricata", + "type": "boolean" } }, "additionalProperties": false @@ -6861,6 +6865,10 @@ }, "serial": { "type": "integer" + }, + "mname_truncated": { + "description": "Set to true if the mname was too long and truncated by Suricata", + "type": "boolean" } }, "additionalProperties": false @@ -6885,6 +6893,14 @@ }, "soa": { "$ref": "#/$defs/dns.soa" + }, + "rdata_truncated": { + "description": "Set to true if the rdata was too long and truncated by Suricata", + "type": "boolean" + }, + "rrname_truncated": { + "description": "Set to true if the rrname was too long and truncated by Suricata", + "type": "boolean" } }, "additionalProperties": false diff --git a/rust/src/dns/log.rs b/rust/src/dns/log.rs index c22c1082c5..6e131e3d5e 100644 --- a/rust/src/dns/log.rs +++ b/rust/src/dns/log.rs @@ -415,7 +415,13 @@ fn dns_log_soa(soa: &DNSRDataSOA) -> Result { let mut js = JsonBuilder::try_new_object()?; js.set_string_from_bytes("mname", &soa.mname.value)?; + if soa.mname.flags.contains(DNSNameFlags::TRUNCATED) { + js.set_bool("mname_truncated", true)?; + } js.set_string_from_bytes("rname", &soa.rname.value)?; + if soa.rname.flags.contains(DNSNameFlags::TRUNCATED) { + js.set_bool("rname_truncated", true)?; + } js.set_uint("serial", soa.serial as u64)?; js.set_uint("refresh", soa.refresh as u64)?; js.set_uint("retry", soa.retry as u64)?; @@ -460,6 +466,9 @@ fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result Result { jsa.set_string_from_bytes("rdata", &name.value)?; + if name.flags.contains(DNSNameFlags::TRUNCATED) { + jsa.set_bool("rdata_truncated", true)?; + } } DNSRData::TXT(bytes) | DNSRData::NULL(bytes) => { jsa.set_string_from_bytes("rdata", bytes)?; @@ -528,6 +540,9 @@ fn dns_log_json_answer( if let Some(query) = response.queries.first() { js.set_string_from_bytes("rrname", &query.name.value)?; + if query.name.flags.contains(DNSNameFlags::TRUNCATED) { + js.set_bool("rrname_truncated", true)?; + } js.set_string("rrtype", &dns_rrtype_string(query.rrtype))?; } js.set_string("rcode", &dns_rcode_string(header.flags))?; @@ -555,6 +570,7 @@ fn dns_log_json_answer( | DNSRData::MX(name) | DNSRData::NS(name) | DNSRData::PTR(name) => { + // Flags like truncated not logged here as it would break the schema. if !answer_types.contains_key(&type_string) { answer_types .insert(type_string.to_string(), JsonBuilder::try_new_array()?); @@ -765,6 +781,9 @@ fn dns_log_query( jb.set_string("type", "query")?; jb.set_uint("id", request.header.tx_id as u64)?; jb.set_string_from_bytes("rrname", &query.name.value)?; + if query.name.flags.contains(DNSNameFlags::TRUNCATED) { + jb.set_bool("rrname_truncated", true)?; + } jb.set_string("rrtype", &dns_rrtype_string(query.rrtype))?; jb.set_uint("tx_id", tx.id - 1)?; if request.header.flags & 0x0040 != 0 { @@ -854,6 +873,9 @@ fn log_json(tx: &mut DNSTransaction, flags: u64, jb: &mut JsonBuilder) -> Result jb.start_object()? .set_string_from_bytes("rrname", &query.name.value)? .set_string("rrtype", &dns_rrtype_string(query.rrtype))?; + if query.name.flags.contains(DNSNameFlags::TRUNCATED) { + jb.set_bool("rrname_truncated", true)?; + } jb.close()?; } }