[Oisf-users] Correlated DNS answers
Victor Julien
lists at inliniac.net
Sat Oct 31 21:32:46 UTC 2015
On 31-10-15 21:00, Andreas Moe wrote:
> When performing DNS queries, and having activated DNS Eve logging in
> Suricata, i see that my log holds seperate log entries for each answer,
> even though they were the part of the same query.
>
> 1) Is this as expected?
It's working as expected, yes.
> 2) Should this be done some other way? (In my mind) A single query,
> should be logged as a single log entry, and the answer should be logged
> as a single log entry. Say with a query to google.com
> <http://google.com>, and it resolves to 5 distinct IPs, all of these
> should be in one log entry?
I agree, and we have a ticket open for this
(https://redmine.openinfosecfoundation.org/issues/1198). We've not yet
been able to find a good format, so suggestions are definitely welcome.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list