suricata 7.0.2
opensuse tumbleweed
linux v5.14.21
Since about 28-Oct-2023 there has been a sudden increase in the amount of log entries (see below) added to the EVE log. Typically it would be about 35 MB per day. Today xz failed to compress the file because it was 12 GB.
I do not understand why there is such a sudden increase in logging.
Any ideas of how to detect and drop these spurious requests?
{"timestamp":"2023-10-30T10:14:40.639614-0700","flow_id":210536768715626,"event_type":"dns","src_ip":"189.127.26.151","src_port":26324,"dest_ip":"192.168.69.246","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"version":2,"type":"answer","id":128,"flags":"83a0","qr":true,"tc":true,"rd":true,"ra":true,"opcode":0,"rrname":"cisco.com","rrtype":"TXT","rcode":"NOERROR"}}
{"timestamp":"2023-10-30T10:14:40.639888-0700","flow_id":215023921138469,"event_type":"dns","src_ip":"189.127.26.168","src_port":24115,"dest_ip":"192.168.69.246","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"type":"query","id":53414,"rrname":"atlassian.com","rrtype":"TXT","tx_id":0,"opcode":0}}
{"timestamp":"2023-10-30T10:14:40.640059-0700","flow_id":215759980630953,"event_type":"dns","src_ip":"189.127.27.227","src_port":42421,"dest_ip":"192.168.69.246","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"type":"query","id":1017,"rrname":"atlassian.com","rrtype":"TXT","tx_id":0,"opcode":0}}
{"timestamp":"2023-10-30T10:14:40.640220-0700","flow_id":216450167157858,"event_type":"dns","src_ip":"189.127.27.112","src_port":21234,"dest_ip":"192.168.69.246","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"type":"query","id":53316,"rrname":"cisco.com","rrtype":"TXT","tx_id":0,"opcode":0}}
{"timestamp":"2023-10-30T10:14:40.640384-0700","flow_id":217153725386661,"event_type":"dns","src_ip":"189.127.27.74","src_port":24390,"dest_ip":"192.168.69.246","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"type":"query","id":18292,"rrname":"apple.com","rrtype":"TXT","tx_id":0,"opcode":0}}