[Oisf-users] DNS answers - CNAME missing rrdata field?

[Darren Spruell]

Suricata version 2.1dev (rev fdfa184), Linux/x86_64 3.10.40

That code might be from July 2014. Using dev code at that time to take
advantage of the flow ID / transaction ID support for event
correlation.

Using dns event logging:

  - eve-log:
      enabled: yes
      type: file
      filename: eve-dns.json
      types:
        - dns


Noticing what seems like the answer events missing rrdata (RDATA)
field for CNAME records:

{"timestamp":"2015-01-07T10:37:37.093417","flow_id":61127968,"event_type":"dns","src_ip":"10.8.1.28","src_port":59650,"dest_ip":"184.26.161.67","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16394,"rrname":"video.myphl17.com.edgesuite.net","rrtype":"A","tx_id":0}}
{"timestamp":"2015-01-07T10:37:37.093417","flow_id":61127968,"event_type":"dns","src_ip":"184.26.161.67","src_port":53,"dest_ip":"10.8.1.28","dest_port":59650,"proto":"UDP","dns":{"type":"answer","id":16394,"rrname":"video.myphl17.com.edgesuite.net","rrtype":"CNAME","ttl":21600}}


{"timestamp":"2015-01-07T13:45:01.544749","flow_id":309142848,"event_type":"dns","src_ip":"10.8.1.59","src_port":41215,"dest_ip":"159.45.5.52","dest_port":53,"proto":"UDP","dns":{"type":"query","id":23512,"rrname":"www.hendren-mattern.wfadv.com","rrtype":"A","tx_id":0}}

{"timestamp":"2015-01-07T13:45:01.544749","flow_id":309142848,"event_type":"dns","src_ip":"159.45.5.52","src_port":53,"dest_ip":"10.8.1.59","dest_port":41215,"proto":"UDP","dns":{"type":"answer","id":23512,"rrname":"www.hendren-mattern.wfadv.com","rrtype":"CNAME","ttl":600}}


e.g. for that second example, would expect to see a rrdata field with
data corresponding to what is seen with dig(1) for that record
(rd230.emeraldhost.net):

;; ANSWER SECTION:
www.hendren-mattern.wfadv.com. 600 IN  CNAME  rd230.emeraldhost.net.

rd230.emeraldhost.net.  3600    IN      A      199.59.138.230

rd230.emeraldhost.net.  3600    IN      A      199.59.136.230

-- 
Darren Spruell
phatbuckett at gmail.com