Data.event.type= dns issue

i want to get dns query logs with data.event.type= alerts and not dns.
is this possible?

You would have to write a signature to do that but you might miss some details in the alert that you only see in the event type dns. What is the reason for that request?

reason for this is due to client request and better filtering.

You can use the flow_id and correlate the two events with each other in your filter, that’s the correct way to do it.

You could do this in custom post-processing I suppose, but in the scope of Suricata alert and dns types are quite different events.

the number of logs for a particular event when filtered using event.type= alert and flowid is very small when compared to when filtered using event.type=dns.

Can you describe a bit more how you filter and ideally some examples?

in syslog collector, when filtering using data.event_type= alert, with flow.id ‘exists’ and data.app_proto=dns the dns related logs do not have enough field for example dns.rrtype, rrname, query.id etc, when compared to logs shown when filtered using data.event_type= dns.

You want to filter in a different way:

  1. Check for the alert event type and the alert you want to look into
  2. Use the flow_id value seen there and search for the dns event type that has the same flow_id

With that you have several events that directly relate to each other

An example is here 17.1.2. Eve JSON Format — Suricata 8.0.0-dev documentation where you have an alert and the flow_id is used to get even more context through all the other events

is it possible to provide custom rules that can trigger DNS logs with event.type=alert?