Have Query and Answer string length

[helmerfud]

hello,
is it possible to had Query and Answer string length at the end of the log line.
These data will help my security manager to check possible data evasion through DNS request.
For a test situation i've had the line to dns.c
`
/* line: 660*/
int qname_len = 0;
int answer_len = 0;

/* line: 1103*/
/* Print query length*/
if (config.fieldsf & FIELD_QUERY) {
if (offset != 0)
qname_len = strlen(l->qname);
offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", d);
offset += snprintf(output+offset, sizeof(buffer) - offset, "%d", qname_len);
}

    /* Print answer length*/
    if (config.fieldsf & FIELD_ANSWER) {
        if (offset != 0)
            offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", d);
        if (is_err_record) {
            answer_len = strlen(rr_rcode);
            offset += snprintf(output+offset, sizeof(buffer) - offset, "%d", answer_len);
        }else{
            answer_len = strlen(p->answer);
            offset += snprintf(output+offset, sizeof(buffer) - offset, "%d", answer_len);
        }
    }

`

but i'm not an experimented programmer in language C.
Sorry, i don't understand lot of your code and i'm be able to do the full job.

bye.

[gamelinux]

Though this is trivial to calculate from the current log format, either by prepossessing logs before you push them to your final log storage solution (by kafka etc), or I would guess you can calculate such with say splunk when searching logs etc., I do see that it could be nice if you dont have such fancy setups to have this.

If I get time, I will look at it.
A pull request would work to :)

E

[gamelinux]

Check out commit 215e351
Tell me if this works like you expected.

[maxtors]

I would vote against this change. It adds extra computation, and alters the logformat and size. All for something that i think should be calculated further down the pipeline (as previously mentioned by gamelinux). Also, it seams to be outside the scope of what i feel this application is, a slim and to-the-point passive dns collector.

[gamelinux]

I do agree that it is outside what I would like in the core functionality (as the data is kind of there all ready, you just need to calculate it), but adding this would just add a very very little overhead to computation if you don't specify -f with "L" and "l". Its just checking if a flag is set in a very efficient way a few places.

And this will not alter the output format, if you don't manually add "L" and/or "l".

The biggest plus here is that this allows for command line tools like jq to parse the json output etc, and filter on length of domains if you want to hunt for say dns tunneling etc.
Also if you have little clue or just short of time, you can push the data into ELK or Splunk etc and use the length field right away, without writing a parser which adds the length before log insert.

Im open for feedback though :)

[helmerfud]

hello,
i very thank you for your great job.
including my request in your project is, for me, fantastic.
It work very fine as i expected.

best regards.