From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 9 Jul 2025 13:34:44 +0000 (+0200)
Subject: doh: do not log dns events when there is no DNS
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7be505e887795037bb1268dba584509c57d186e7;p=thirdparty%2Fsuricata.git

doh: do not log dns events when there is no DNS

Ticket: 7740

When we have a pure HTTP2 transaction (such as settings), we want
to log a http event
---

diff --git a/src/output-json-dns.c b/src/output-json-dns.c
index 161268823d..ec403ff853 100644
--- a/src/output-json-dns.c
+++ b/src/output-json-dns.c
@@ -287,9 +287,15 @@ static int JsonDoh2Logger(ThreadVars *tv, void *thread_data, const Packet *p, Fl
     LogDnsLogThread *td = (LogDnsLogThread *)thread_data;
     LogDnsFileCtx *dnslog_ctx = td->dnslog_ctx;
 
+    void *tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOCLIENT);
+    if (tx_dns == NULL) {
+        tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOSERVER);
+    }
+
     /* DOH2 is always logged in flow direction, as its driven by the scope of an
      * HTTP transation */
-    SCJsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
+    SCJsonBuilder *jb =
+            CreateEveHeader(p, LOG_DIR_FLOW, tx_dns ? "dns" : "http", NULL, dnslog_ctx->eve_ctx);
 
     if (unlikely(jb == NULL)) {
         return TM_ECODE_OK;
@@ -304,10 +310,6 @@ static int JsonDoh2Logger(ThreadVars *tv, void *thread_data, const Packet *p, Fl
         SCJbRestoreMark(jb, &mark);
     }
 
-    void *tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOCLIENT);
-    if (tx_dns == NULL) {
-        tx_dns = DetectGetInnerTx(txptr, ALPROTO_DOH2, ALPROTO_DNS, STREAM_TOSERVER);
-    }
     bool r2 = false;
     if (tx_dns) {
         // mix of JsonDnsLogger