[Oisf-users] dns parser, pcre and logging options
Justin Cinkelj
justin.cinkelj at xlab.si
Tue May 14 18:33:28 UTC 2013
I'm trying dsn parser from https://github.com/inliniac/suricata.git,
dev-dns-parser-v1.4
alert dnsudp any any -> 8.8.4.4 any (sid:5003008; pcre:"/ttrt.com/",
rev:1; )
triggers on
dig @8.8.4.4 'ttrt.com'
dig @8.8.4.4 'ttrt_com'
So I try to escape the '.', but
alert dnsudp any any -> 8.8.4.4 any (sid:5003008; pcre:"/ttrt\.com/",
rev:1; )
triggers on
dig @8.8.4.4 'ttrt\.com'
and not on
dig @8.8.4.4 'ttrt.com'
I must be missing something obvious?
In fast.log I get 'only':
05/14/2013-19:29:44.421810 [**] [1:5003005:1] (null) [**]
[Classification: (null)] [Priority: 3] {UDP} 192.168.13.3:39602 ->
8.8.4.4:53
Additional details are not shown any more (as in
https://lists.openinfosecfoundation.org/pipermail/oisf-devel/2013-April/002286.html
) ?
Are there some dns logging configuration options?
Justin
More information about the Oisf-users
mailing list