Merge pull request #145 from CybercentreCanada/ontology/duplicate_dns…

…_attributes Only attach a single DNS record to an alert
CybercentreCanada · Aug 1, 2024 · 421340d · 421340d
2 parents a591129 + 5f528e6
commit 421340d
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 5 deletions.
diff --git a/suricata_/helper.py b/suricata_/helper.py
@@ -108,7 +108,6 @@ def attach_network_connection(data: dict):
             "destination_ip": dest_ip,
             "destination_port": dest_port,
             "transport_layer_protocol": proto,
-            "connection_type": app_proto,
             "direction": direction,
         }
 
@@ -160,7 +159,8 @@ def attach_network_connection(data: dict):
             attach_network_connection(network_data)
 
         elif record["event_type"] == "dns":
-            if "rrname" not in record["dns"]:
+            if record["dns"]["type"] == "query":
+                # Ignore event records about DNS queries
                 continue
             domain = record["dns"]["rrname"]
             if regex.match(DOMAIN_ONLY_REGEX, domain) and domain not in domains and domain not in ips:
@@ -259,11 +259,15 @@ def attach_network_connection(data: dict):
                             else url
                         )
                         attribute.update({"uri": url})
-                    elif record.get("dns") and network_part.dns_details:
-                        # Only attach network results that are directly related to the alert
+                    elif record.get("dns"):
+                        if not network_part.dns_details:
+                            # Only attach network results that are directly related to the alert
+                            continue
+
                         if not any(
                             query["rrname"] == network_part.dns_details.domain for query in record["dns"]["query"]
                         ):
+                            # This particular record isn't relevant to the alert
                             continue
                     attributes.append(attribute)
 

diff --git a/tests/files/alert_dns/eve.json b/tests/files/alert_dns/eve.json
@@ -0,0 +1,6 @@
+{"timestamp":"2023-01-27T21:12:40.488194+0000","flow_id":1,"pcap_cnt":21,"event_type":"alert","src_ip":"0.0.0.1","src_port":1,"dest_ip":"0.0.0.0","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","community_id":"community_id","tx_id":0,"alert":{"action":"allowed","gid":0,"signature_id":2054403,"rev":1,"signature":"TEST","category":"Unknown Classtype","severity":3},"dns":{"query":[{"type":"query","id":53335,"rrname":"bad.com","rrtype":"A","tx_id":0,"opcode":0}]},"app_proto":"dns","direction":"to_server","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":72,"bytes_toclient":0,"start":"2023-01-27T21:12:40.488194+0000","src_ip":"0.0.0.1","dest_ip":"0.0.0.0","src_port":1,"dest_port":53}}
+{"timestamp":"2023-01-27T21:12:40.488194+0000","flow_id":1,"pcap_cnt":21,"event_type":"dns","src_ip":"0.0.0.1","src_port":1,"dest_ip":"0.0.0.0","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","community_id":"community_id","dns":{"type":"query","id":53335,"rrname":"bad.com","rrtype":"A","tx_id":0,"opcode":0}}
+{"timestamp":"2023-01-27T21:12:40.509232+0000","flow_id":1,"pcap_cnt":24,"event_type":"dns","src_ip":"0.0.0.1","src_port":1,"dest_ip":"0.0.0.0","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","community_id":"community_id","dns":{"version":2,"type":"answer","id":53335,"flags":"8580","qr":true,"aa":true,"rd":true,"ra":true,"opcode":0,"rrname":"bad.com","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"bad.com","rrtype":"A","ttl":720,"rdata":"0.0.0.2"}],"grouped":{"A":["0.0.0.2"]},"authorities":[{"rrname":"bad.com","rrtype":"NS","ttl":720,"rdata":"ns.server0.com"},{"rrname":"bad.com","rrtype":"NS","ttl":720,"rdata":"ns.server1.com"},{"rrname":"bad.com","rrtype":"NS","ttl":720,"rdata":"ns.server2.com"}]}}
+{"timestamp":"2023-01-27T21:05:48.109149+0000","flow_id":1,"event_type":"flow","src_ip":"0.0.0.1","src_port":1,"dest_ip":"0.0.0.0","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":72,"bytes_toclient":310,"start":"2023-01-27T21:12:40.488194+0000","end":"2023-01-27T21:12:40.509232+0000","age":0,"state":"established","reason":"shutdown","alerted":true},"community_id":"community_id"}
+{"timestamp":"2023-01-27T21:05:48.109149+0000","flow_id":1,"event_type":"netflow","src_ip":"0.0.0.1","src_port":1,"dest_ip":"0.0.0.0","dest_port":53,"proto":"UDP","app_proto":"dns","netflow":{"pkts":1,"bytes":72,"start":"2023-01-27T21:12:40.488194+0000","end":"2023-01-27T21:12:40.509232+0000","age":0,"min_ttl":128,"max_ttl":128},"community_id":"community_id"}
+{"timestamp":"2023-01-27T21:05:48.109149+0000","flow_id":1,"event_type":"netflow","src_ip":"0.0.0.0","src_port":53,"dest_ip":"0.0.0.1","dest_port":1,"proto":"UDP","app_proto":"dns","netflow":{"pkts":1,"bytes":310,"start":"2023-01-27T21:12:40.488194+0000","end":"2023-01-27T21:12:40.509232+0000","age":0,"min_ttl":64,"max_ttl":64},"community_id":"community_id"}
diff --git a/tests/test_helper.py b/tests/test_helper.py
@@ -4,7 +4,7 @@
 from suricata_.helper import parse_suricata_output
 
 
-@pytest.mark.parametrize("sample_dir", ["files/alert_http", "files/alert_flow"])
+@pytest.mark.parametrize("sample_dir", ["files/alert_http", "files/alert_flow", "files/alert_dns"])
 def test_alert_signature_correlation(sample_dir):
     sample_dir = os.path.join(os.path.dirname(__file__), sample_dir)
     result = parse_suricata_output(sample_dir)