From 24caa3b284eae6a3be9c6dfd77b43833e626a1d4 Mon Sep 17 00:00:00 2001
From: alya <alyaggomaa@gmail.com>
Date: Mon, 13 Jan 2025 19:36:14 +0200
Subject: [PATCH 1/3] fix error parsing suricata DNS flows

---
 .../threat_intelligence.py                    |  3 ++-
 .../core/database/redis_db/profile_handler.py |  1 -
 slips_files/core/flows/suricata.py            |  8 ++++--
 slips_files/core/input_profilers/suricata.py  | 26 +++++++++----------
 4 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/modules/threat_intelligence/threat_intelligence.py b/modules/threat_intelligence/threat_intelligence.py
index b0e47562f..e1dc40db2 100644
--- a/modules/threat_intelligence/threat_intelligence.py
+++ b/modules/threat_intelligence/threat_intelligence.py
@@ -1379,7 +1379,8 @@ def is_malicious_ip(
             - is_dns_response (bool, optional): Indicates if the lookup
              is for an IP found in a DNS response.
             - dns_query (str, optional): The DNS query associated with
-            the DNS response containing the IP.
+            the DNS response containing the IP. should be passed if
+            is_dns_response is True
 
         Returns:
             - bool: True if the IP address is found to be malicious,
diff --git a/slips_files/core/database/redis_db/profile_handler.py b/slips_files/core/database/redis_db/profile_handler.py
index 4e734e62e..38d4e2038 100644
--- a/slips_files/core/database/redis_db/profile_handler.py
+++ b/slips_files/core/database/redis_db/profile_handler.py
@@ -223,7 +223,6 @@ def add_out_dns(self, profileid, twid, flow):
                 extra_info = {
                     "is_dns_response": True,
                     "dns_query": flow.query,
-                    "domain": answer,
                 }
                 self.give_threat_intelligence(
                     profileid,
diff --git a/slips_files/core/flows/suricata.py b/slips_files/core/flows/suricata.py
index 41f2f2739..e24b6abb2 100644
--- a/slips_files/core/flows/suricata.py
+++ b/slips_files/core/flows/suricata.py
@@ -1,5 +1,9 @@
 from dataclasses import dataclass
-from typing import Union
+from typing import (
+    Union,
+    List,
+    Dict,
+)
 
 from slips_files.common.slips_utils import utils
 
@@ -135,7 +139,7 @@ class SuricataDNS:
     query: str
     TTLs: str
     qtype_name: str
-    answers: list
+    answers: List[Dict[str, str]]
 
     # these alues are not present in eve.json
     qclass_name: str = ""
diff --git a/slips_files/core/input_profilers/suricata.py b/slips_files/core/input_profilers/suricata.py
index b59544b59..9fe9270c4 100644
--- a/slips_files/core/input_profilers/suricata.py
+++ b/slips_files/core/input_profilers/suricata.py
@@ -37,7 +37,7 @@ def process_line(self, line) -> None:
         """Read suricata json input and store it in column_values"""
 
         # convert to dict if it's not a dict already
-        if type(line) == str:
+        if isinstance(line, str):
             line = json.loads(line)
         else:
             # line is a dict with data and type as keys
@@ -120,18 +120,18 @@ def get_value_at(field, subfield, default_=False):
         elif event_type == "dns":
             answers: list = self.get_answers(line)
             self.flow: SuricataDNS = SuricataDNS(
-                timestamp,
-                flow_id,
-                saddr,
-                sport,
-                daddr,
-                dport,
-                proto,
-                appproto,
-                get_value_at("dns", "rdata", ""),
-                get_value_at("dns", "ttl", ""),
-                get_value_at("qtype_name", "rrtype", ""),
-                answers,
+                starttime=timestamp,
+                uid=flow_id,
+                saddr=saddr,
+                sport=sport,
+                daddr=daddr,
+                dport=dport,
+                proto=proto,
+                appproto=appproto,
+                query=get_value_at("dns", "rrname", ""),
+                TTLs=get_value_at("dns", "ttl", ""),
+                qtype_name=get_value_at("qtype_name", "rrtype", ""),
+                answers=answers,
             )
 
         elif event_type == "tls":

From 4855c89e87b6127a48ef2e23f6dbc5c7fbf48d6e Mon Sep 17 00:00:00 2001
From: alya <alyaggomaa@gmail.com>
Date: Mon, 13 Jan 2025 19:36:14 +0200
Subject: [PATCH 2/3] fix error parsing suricata DNS flows

---
 .../threat_intelligence.py                    |  3 ++-
 .../core/database/redis_db/profile_handler.py |  1 -
 slips_files/core/input_profilers/suricata.py  | 24 +++++++++----------
 3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/modules/threat_intelligence/threat_intelligence.py b/modules/threat_intelligence/threat_intelligence.py
index a93c0ab2f..09c384726 100644
--- a/modules/threat_intelligence/threat_intelligence.py
+++ b/modules/threat_intelligence/threat_intelligence.py
@@ -1381,7 +1381,8 @@ def is_malicious_ip(
             - is_dns_response (bool, optional): Indicates if the lookup
              is for an IP found in a DNS response.
             - dns_query (str, optional): The DNS query associated with
-            the DNS response containing the IP.
+            the DNS response containing the IP. should be passed if
+            is_dns_response is True
 
         Returns:
             - bool: True if the IP address is found to be malicious,
diff --git a/slips_files/core/database/redis_db/profile_handler.py b/slips_files/core/database/redis_db/profile_handler.py
index 8a94423e3..8cd47c3bd 100644
--- a/slips_files/core/database/redis_db/profile_handler.py
+++ b/slips_files/core/database/redis_db/profile_handler.py
@@ -225,7 +225,6 @@ def add_out_dns(self, profileid, twid, flow):
                 extra_info = {
                     "is_dns_response": True,
                     "dns_query": flow.query,
-                    "domain": answer,
                 }
                 self.give_threat_intelligence(
                     profileid,
diff --git a/slips_files/core/input_profilers/suricata.py b/slips_files/core/input_profilers/suricata.py
index ebfeed20f..eca742192 100644
--- a/slips_files/core/input_profilers/suricata.py
+++ b/slips_files/core/input_profilers/suricata.py
@@ -122,18 +122,18 @@ def get_value_at(field, subfield, default_=False):
         elif event_type == "dns":
             answers: list = self.get_answers(line)
             self.flow: SuricataDNS = SuricataDNS(
-                timestamp,
-                flow_id,
-                saddr,
-                sport,
-                daddr,
-                dport,
-                proto,
-                appproto,
-                get_value_at("dns", "rdata", ""),
-                get_value_at("dns", "ttl", ""),
-                get_value_at("qtype_name", "rrtype", ""),
-                answers,
+                starttime=timestamp,
+                uid=flow_id,
+                saddr=saddr,
+                sport=sport,
+                daddr=daddr,
+                dport=dport,
+                proto=proto,
+                appproto=appproto,
+                query=get_value_at("dns", "rrname", ""),
+                TTLs=get_value_at("dns", "ttl", ""),
+                qtype_name=get_value_at("qtype_name", "rrtype", ""),
+                answers=answers,
             )
 
         elif event_type == "tls":

From b8d5b6a6ad4e4ea4a84d975ef3286e5ecfaf74de Mon Sep 17 00:00:00 2001
From: alya <alyaggomaa@gmail.com>
Date: Tue, 28 Jan 2025 20:51:38 +0200
Subject: [PATCH 3/3] test_profile_handler.py: fix test_add_out_dns()

---
 tests/test_profile_handler.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tests/test_profile_handler.py b/tests/test_profile_handler.py
index c28d1b015..4de681927 100644
--- a/tests/test_profile_handler.py
+++ b/tests/test_profile_handler.py
@@ -1912,7 +1912,6 @@ def test_add_ips(
                     extra_info={
                         "is_dns_response": True,
                         "dns_query": "www.example.com",
-                        "domain": "1.2.3.4",
                     },
                 ),
             ],
@@ -1982,7 +1981,6 @@ def test_add_ips(
                     extra_info={
                         "is_dns_response": True,
                         "dns_query": "www.example.com",
-                        "domain": "1.2.3.4",
                     },
                 ),
             ],