From 5edb84fe234f47a0fedfbf9b10b49699152fe8cb Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Thu, 31 Oct 2024 15:46:35 -0600 Subject: [PATCH] eve/dns: add truncation flags for fields that are truncated If rrname, rdata or mname are truncated, set a flag field like 'rrname_truncated: true' to indicate that the name is truncated. Ticket: #7280 (cherry picked from commit 37f4c52b22fcdde4adf9b479cb5700f89d00768d) --- etc/schema.json | 7 +++++++ rust/src/dns/log.rs | 19 +++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/etc/schema.json b/etc/schema.json index 488cf3d511..ae529a649e 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -996,6 +996,9 @@ "rrname": { "type": "string" }, + "rrname_truncated": { + "type": "boolean" + }, "rrtype": { "type": "string" }, @@ -1129,6 +1132,10 @@ "opcode": { "description": "DNS opcode as an integer", "type": "integer" + }, + "rrname_truncated": { + "description": "Set to true if the rrname was too long and truncated by Suricata", + "type": "boolean" } }, "additionalProperties": false diff --git a/rust/src/dns/log.rs b/rust/src/dns/log.rs index f220158ed4..c92c07346c 100644 --- a/rust/src/dns/log.rs +++ b/rust/src/dns/log.rs @@ -399,7 +399,13 @@ fn dns_log_soa(soa: &DNSRDataSOA) -> Result { let mut js = JsonBuilder::try_new_object()?; js.set_string_from_bytes("mname", &soa.mname.value)?; + if soa.mname.flags.contains(DNSNameFlags::TRUNCATED) { + js.set_bool("mname_truncated", true)?; + } js.set_string_from_bytes("rname", &soa.rname.value)?; + if soa.rname.flags.contains(DNSNameFlags::TRUNCATED) { + js.set_bool("rname_truncated", true)?; + } js.set_uint("serial", soa.serial as u64)?; js.set_uint("refresh", soa.refresh as u64)?; js.set_uint("retry", soa.retry as u64)?; @@ -444,6 +450,9 @@ fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result Result { jsa.set_string_from_bytes("rdata", &name.value)?; + if name.flags.contains(DNSNameFlags::TRUNCATED) { + jsa.set_bool("rdata_truncated", true)?; + } } DNSRData::TXT(bytes) | DNSRData::NULL(bytes) => { jsa.set_string_from_bytes("rdata", bytes)?; @@ -506,6 +518,9 @@ fn dns_log_json_answer( if let Some(query) = response.queries.first() { js.set_string_from_bytes("rrname", &query.name.value)?; + if query.name.flags.contains(DNSNameFlags::TRUNCATED) { + js.set_bool("rrname_truncated", true)?; + } js.set_string("rrtype", &dns_rrtype_string(query.rrtype))?; } js.set_string("rcode", &dns_rcode_string(header.flags))?; @@ -532,6 +547,7 @@ fn dns_log_json_answer( | DNSRData::MX(name) | DNSRData::NS(name) | DNSRData::PTR(name) => { + // Flags like truncated not logged here as it would break the schema. if !answer_types.contains_key(&type_string) { answer_types .insert(type_string.to_string(), JsonBuilder::try_new_array()?); @@ -620,6 +636,9 @@ fn dns_log_query( jb.set_string("type", "query")?; jb.set_uint("id", request.header.tx_id as u64)?; jb.set_string_from_bytes("rrname", &query.name.value)?; + if query.name.flags.contains(DNSNameFlags::TRUNCATED) { + jb.set_bool("rrname_truncated", true)?; + } jb.set_string("rrtype", &dns_rrtype_string(query.rrtype))?; jb.set_uint("tx_id", tx.id - 1)?; if request.header.flags & 0x0040 != 0 { -- 2.47.2