DNS App Layer Events

MiniPierre · March 30, 2020, 9:44am

Hello everyone,

I am currently doing a listing of Suricata rules for my company, and I found that the ones in dns-events.rules are using the app-layer-event field. With a bit of researches, it appears that these app-layer-events are described in the app-layer-dns.c file, which does not exists anymore. Do these rules still work, and if yes how ?

Thanks for your help

Jeff_Lucovsky · March 30, 2020, 12:06pm

Hi,
What version of Suricata are you looking at?

For master, you’ll find these events in rust/src/dns/dns.rs. Previous versions of Suricata – 4.1.x and 5.0.x – had the same information in src/app-layer-dns-common.c

MiniPierre · March 30, 2020, 12:10pm

Hello Jeff, thanks for your reply
I use version 4.1.2, but had a look at Github master branch, thus not the good versions. Had a look at the correct branch and found the file !

Thanks again

Topic		Replies	Views
Decode, stream, app-layer event rules Rules rules	5	1033	June 7, 2022
Suricata DNS IPS rule Rules	7	1702	October 14, 2021
Rule 2210008 - help interpreting results Rules	6	985	September 24, 2020
Custom rule not triggering (newbie warning!) [SOLVED] Rules	3	711	October 20, 2022
Some questions about add new app layer protocol Help	1	1135	January 6, 2022

DNS App Layer Events

Related Topics