From: Jason Ish Date: Fri, 27 Oct 2023 16:19:31 +0000 (-0600) Subject: dns/eve: use default formats if formats is empty X-Git-Tag: suricata-6.0.16~26 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F9719%2Fhead;p=thirdparty%2Fsuricata.git dns/eve: use default formats if formats is empty If the configuration field "formats" is empty, DNS response records do not have any relevant information other than that there was a response, but not much about the response. I'm pretty sure the intention here was to log the response details if no formats were provided, which is what happens when the field is commented out. So if no formats are specified, use the default of all. Bug: #6420 (cherry picked from commit a240a93b6931c94485d336cdc340e16929437a01) --- diff --git a/src/output-json-dns.c b/src/output-json-dns.c index 6d376c631f..3cfff270b7 100644 --- a/src/output-json-dns.c +++ b/src/output-json-dns.c @@ -595,15 +595,25 @@ static void JsonDnsLogInitFilters(LogDnsFileCtx *dnslog_ctx, ConfNode *conf) if (dnslog_ctx->flags & LOG_ANSWERS) { ConfNode *format; if ((format = ConfNodeLookupChild(conf, "formats")) != NULL) { - dnslog_ctx->flags &= ~LOG_FORMAT_ALL; + uint64_t flags = 0; ConfNode *field; TAILQ_FOREACH(field, &format->head, next) { if (strcasecmp(field->val, "detailed") == 0) { - dnslog_ctx->flags |= LOG_FORMAT_DETAILED; + flags |= LOG_FORMAT_DETAILED; } else if (strcasecmp(field->val, "grouped") == 0) { - dnslog_ctx->flags |= LOG_FORMAT_GROUPED; + flags |= LOG_FORMAT_GROUPED; + } else { + SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Invalid JSON DNS log format: %s", + field->val); } } + if (flags) { + dnslog_ctx->flags &= ~LOG_FORMAT_ALL; + dnslog_ctx->flags |= flags; + } else { + SCLogWarning(SC_ERR_INVALID_ARGUMENT, + "Empty EVE DNS format array, using defaults"); + } } else { dnslog_ctx->flags |= LOG_FORMAT_ALL; }