From: Jason Ish <jason.ish@oisf.net>
Date: Thu, 5 Jun 2025 15:20:08 +0000 (-0600)
Subject: dns: log addresses in order of packet
X-Git-Tag: suricata-8.0.0-rc1~125
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f7a05f1e8e6d84cf285fd97dcd9c8e168ac5daa8;p=thirdparty%2Fsuricata.git

dns: log addresses in order of packet

DNS logs have always been logged in flow direction, this can be
confusing as DNS responses have a src_ip of the client, but it makes
more sense to have the src_ip for the server, as that is the src_ip of
the response packet.

As this is a breaking change, limit it DNS v3 logging which was
introduced, and is the default for Suricata 8.0.

Ticket: #6400
---

diff --git a/src/output-json-dns.c b/src/output-json-dns.c
index 2fe5b8eee6..1da90a51c7 100644
--- a/src/output-json-dns.c
+++ b/src/output-json-dns.c
@@ -33,6 +33,7 @@
 #include "util-mem.h"
 #include "app-layer-parser.h"
 #include "output.h"
+#include "decode.h"
 
 #include "output-json.h"
 #include "output-json-dns.h"
@@ -286,6 +287,8 @@ static int JsonDoh2Logger(ThreadVars *tv, void *thread_data, const Packet *p, Fl
     LogDnsLogThread *td = (LogDnsLogThread *)thread_data;
     LogDnsFileCtx *dnslog_ctx = td->dnslog_ctx;
 
+    /* DOH2 is always logged in flow direction, as its driven by the scope of an
+     * HTTP transation */
     SCJsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
 
     if (unlikely(jb == NULL)) {
@@ -426,7 +429,20 @@ static int JsonDnsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flo
             return TM_ECODE_OK;
         }
 
-        SCJsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
+        /* If UDP we can rely on the packet direction. */
+        enum SCOutputJsonLogDirection dir = LOG_DIR_PACKET;
+
+        /* If not UDP we have to query the transaction for direction, which
+         * could be wrong - this is a bit of a hack. */
+        if (PacketIsTCP(p)) {
+            if (SCDnsTxIsRequest(txptr)) {
+                dir = LOG_DIR_FLOW_TOSERVER;
+            } else {
+                dir = LOG_DIR_FLOW_TOCLIENT;
+            }
+        }
+
+        SCJsonBuilder *jb = CreateEveHeader(p, dir, "dns", NULL, dnslog_ctx->eve_ctx);
         if (unlikely(jb == NULL)) {
             return TM_ECODE_OK;
         }