i want to get dns query logs with data.event.type= alerts and not dns.
is this possible?
You would have to write a signature to do that but you might miss some details in the alert that you only see in the event type dns. What is the reason for that request?
reason for this is due to client request and better filtering.
You can use the flow_id
and correlate the two events with each other in your filter, that’s the correct way to do it.
You could do this in custom post-processing I suppose, but in the scope of Suricata alert
and dns
types are quite different events.
the number of logs for a particular event when filtered using event.type= alert and flowid is very small when compared to when filtered using event.type=dns.
Can you describe a bit more how you filter and ideally some examples?
in syslog collector, when filtering using data.event_type= alert, with flow.id ‘exists’ and data.app_proto=dns the dns related logs do not have enough field for example dns.rrtype, rrname, query.id etc, when compared to logs shown when filtered using data.event_type= dns.
You want to filter in a different way:
- Check for the alert event type and the alert you want to look into
- Use the
flow_id
value seen there and search for the dns event type that has the sameflow_id
With that you have several events that directly relate to each other
An example is here 17.1.2. Eve JSON Format — Suricata 8.0.0-dev documentation where you have an alert and the flow_id
is used to get even more context through all the other events
is it possible to provide custom rules that can trigger DNS logs with event.type=alert?