DNS App Layer Events

MiniPierre · March 30, 2020, 9:44am

Hello everyone,

I am currently doing a listing of Suricata rules for my company, and I found that the ones in dns-events.rules are using the app-layer-event field. With a bit of researches, it appears that these app-layer-events are described in the app-layer-dns.c file, which does not exists anymore. Do these rules still work, and if yes how ?

Thanks for your help

Jeff_Lucovsky · March 30, 2020, 12:06pm

Hi,
What version of Suricata are you looking at?

For master, you’ll find these events in rust/src/dns/dns.rs. Previous versions of Suricata – 4.1.x and 5.0.x – had the same information in src/app-layer-dns-common.c

MiniPierre · March 30, 2020, 12:10pm

Hello Jeff, thanks for your reply
I use version 4.1.2, but had a look at Github master branch, thus not the good versions. Had a look at the correct branch and found the file !

Thanks again

Topic		Replies	Views
Decode, stream, app-layer event rules Rules rules	5	1216	June 7, 2022
Deleted rules still being added Help	2	811	February 26, 2021
Disable applayer rule Rules rules , suricata	2	457	October 18, 2023
Couple of questions about suricata-update suricata-update	1	160	April 9, 2024
Enrichment for Application layer protocol related events Rules rules	2	868	August 4, 2021

DNS App Layer Events

Related topics