Merge pull request #1163 from stratosphereips/alya/fix_blacklisted_dn…

…s_answer_evidence_description fix error parsing suricata DNS flows
stratosphereips · Jan 28, 2025 · 1af0692 · 1af0692
2 parents e28d113 + b8d5b6a
commit 1af0692
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 16 deletions.
diff --git a/modules/threat_intelligence/threat_intelligence.py b/modules/threat_intelligence/threat_intelligence.py
@@ -1381,7 +1381,8 @@ def is_malicious_ip(
             - is_dns_response (bool, optional): Indicates if the lookup
              is for an IP found in a DNS response.
             - dns_query (str, optional): The DNS query associated with
-            the DNS response containing the IP.
+            the DNS response containing the IP. should be passed if
+            is_dns_response is True
 
         Returns:
             - bool: True if the IP address is found to be malicious,

diff --git a/slips_files/core/database/redis_db/profile_handler.py b/slips_files/core/database/redis_db/profile_handler.py
@@ -225,7 +225,6 @@ def add_out_dns(self, profileid, twid, flow):
                 extra_info = {
                     "is_dns_response": True,
                     "dns_query": flow.query,
-                    "domain": answer,
                 }
                 self.give_threat_intelligence(
                     profileid,

diff --git a/slips_files/core/input_profilers/suricata.py b/slips_files/core/input_profilers/suricata.py
@@ -122,18 +122,18 @@ def get_value_at(field, subfield, default_=False):
         elif event_type == "dns":
             answers: list = self.get_answers(line)
             self.flow: SuricataDNS = SuricataDNS(
-                timestamp,
-                flow_id,
-                saddr,
-                sport,
-                daddr,
-                dport,
-                proto,
-                appproto,
-                get_value_at("dns", "rdata", ""),
-                get_value_at("dns", "ttl", ""),
-                get_value_at("qtype_name", "rrtype", ""),
-                answers,
+                starttime=timestamp,
+                uid=flow_id,
+                saddr=saddr,
+                sport=sport,
+                daddr=daddr,
+                dport=dport,
+                proto=proto,
+                appproto=appproto,
+                query=get_value_at("dns", "rrname", ""),
+                TTLs=get_value_at("dns", "ttl", ""),
+                qtype_name=get_value_at("qtype_name", "rrtype", ""),
+                answers=answers,
             )
 
         elif event_type == "tls":

diff --git a/tests/test_profile_handler.py b/tests/test_profile_handler.py
@@ -1912,7 +1912,6 @@ def test_add_ips(
                     extra_info={
                         "is_dns_response": True,
                         "dns_query": "www.example.com",
-                        "domain": "1.2.3.4",
                     },
                 ),
             ],
@@ -1982,7 +1981,6 @@ def test_add_ips(
                     extra_info={
                         "is_dns_response": True,
                         "dns_query": "www.example.com",
-                        "domain": "1.2.3.4",
                     },
                 ),
             ],