From b0e8b6fb0744b4587c23b27e8faa4aa302a66637 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Fri, 27 Oct 2023 10:19:31 -0600 Subject: [PATCH] dns/eve: use default formats if formats is empty If the configuration field "formats" is empty, DNS response records do not have any relevant information other than that there was a response, but not much about the response. I'm pretty sure the intention here was to log the response details if no formats were provided, which is what happens when the field is commented out. So if no formats are specified, use the default of all. Bug: #6420 (cherry picked from commit a240a93b6931c94485d336cdc340e16929437a01) --- src/output-json-dns.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/output-json-dns.c b/src/output-json-dns.c index 6d376c631f..3cfff270b7 100644 --- a/src/output-json-dns.c +++ b/src/output-json-dns.c @@ -595,15 +595,25 @@ static void JsonDnsLogInitFilters(LogDnsFileCtx *dnslog_ctx, ConfNode *conf) if (dnslog_ctx->flags & LOG_ANSWERS) { ConfNode *format; if ((format = ConfNodeLookupChild(conf, "formats")) != NULL) { - dnslog_ctx->flags &= ~LOG_FORMAT_ALL; + uint64_t flags = 0; ConfNode *field; TAILQ_FOREACH(field, &format->head, next) { if (strcasecmp(field->val, "detailed") == 0) { - dnslog_ctx->flags |= LOG_FORMAT_DETAILED; + flags |= LOG_FORMAT_DETAILED; } else if (strcasecmp(field->val, "grouped") == 0) { - dnslog_ctx->flags |= LOG_FORMAT_GROUPED; + flags |= LOG_FORMAT_GROUPED; + } else { + SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Invalid JSON DNS log format: %s", + field->val); } } + if (flags) { + dnslog_ctx->flags &= ~LOG_FORMAT_ALL; + dnslog_ctx->flags |= flags; + } else { + SCLogWarning(SC_ERR_INVALID_ARGUMENT, + "Empty EVE DNS format array, using defaults"); + } } else { dnslog_ctx->flags |= LOG_FORMAT_ALL; } -- 2.47.2