From: Jason Ish Date: Fri, 27 Oct 2023 16:19:31 +0000 (-0600) Subject: dns/eve: use default formats if formats is empty X-Git-Tag: suricata-7.0.3~92 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a240a93b6931c94485d336cdc340e16929437a01;p=thirdparty%2Fsuricata.git dns/eve: use default formats if formats is empty If the configuration field "formats" is empty, DNS response records do not have any relevant information other than that there was a response, but not much about the response. I'm pretty sure the intention here was to log the response details if no formats were provided, which is what happens when the field is commented out. So if no formats are specified, use the default of all. Bug: #6420 --- diff --git a/src/output-json-dns.c b/src/output-json-dns.c index 0b6589d5c1..cd3ccac29d 100644 --- a/src/output-json-dns.c +++ b/src/output-json-dns.c @@ -512,15 +512,23 @@ static void JsonDnsLogInitFilters(LogDnsFileCtx *dnslog_ctx, ConfNode *conf) if (dnslog_ctx->flags & LOG_ANSWERS) { ConfNode *format; if ((format = ConfNodeLookupChild(conf, "formats")) != NULL) { - dnslog_ctx->flags &= ~LOG_FORMAT_ALL; + uint64_t flags = 0; ConfNode *field; TAILQ_FOREACH (field, &format->head, next) { if (strcasecmp(field->val, "detailed") == 0) { - dnslog_ctx->flags |= LOG_FORMAT_DETAILED; + flags |= LOG_FORMAT_DETAILED; } else if (strcasecmp(field->val, "grouped") == 0) { - dnslog_ctx->flags |= LOG_FORMAT_GROUPED; + flags |= LOG_FORMAT_GROUPED; + } else { + SCLogWarning("Invalid JSON DNS log format: %s", field->val); } } + if (flags) { + dnslog_ctx->flags &= ~LOG_FORMAT_ALL; + dnslog_ctx->flags |= flags; + } else { + SCLogWarning("Empty EVE DNS format array, using defaults"); + } } else { dnslog_ctx->flags |= LOG_FORMAT_ALL; }