Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, detections, and case management. It also includes other tools such as osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek.
Originally posted by **branchnetconsulting** March 30, 2023
I have a fair number of SO stacks out there, most running 2.3.220 and using Suricata for network metadata collection. For us, it appears that when looking at the "Security Onion - DNS" dashboard, that the Answers panel is always blank, even when there are DNS records most clearly holding answers. However, it appears these answers are not getting parsed.
For example, I have an SO DNS records whose message field contains:
`{"timestamp":"2023-03-08T22:05:16.231213+0000","flow_id":2162284216176514,"in_iface":"bond0","event_type":"dns","src_ip":"172.16.1.99","src_port":56848,"dest_ip":"149.112.112.112","dest_port":53,"proto":"UDP","community_id":"1:OYClLdZhxYwkwGR/8ZG5zzvTGDw=","dns":{"version":2,"type":"answer","id":47410,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"sbqmsa.wiki","rrtype":"A","rcode":"NOERROR","grouped":{"A":["188.54.114.192"]}}}`
but the outer JSON event record contains no dns.answers.* fields at all.
Looking at /opt/so/conf/elasticsearch/ingest/suricata.dns, I would expect to see a populated dns.answers.data field.
```
{
"description" : "suricata.dns",
"processors" : [
...
{ "rename": { "field": "message2.grouped.A", "target_field": "dns.answers.data", "ignore_missing": true } },
{ "rename": { "field": "message2.grouped.CNAME", "target_field": "dns.answers.name", "ignore_missing": true } },
....
]
}
```
I would sure appreciate advice on how to get this working again.
Thanks,
Kevin
dougburks
commented
1 year ago 
Discussed in https://github.com/Security-Onion-Solutions/securityonion/discussions/10071