All my 2.3.220 SO hosts fail to parse DNS answers from Suricata DNS records

[branchnetconsulting]

I have a fair number of SO stacks out there, most running 2.3.220 and using Suricata for network metadata collection. For us, it appears that when looking at the "Security Onion - DNS" dashboard, that the Answers panel is always blank, even when there are DNS records most clearly holding answers. However, it appears these answers are not getting parsed.

For example, I have an SO DNS records whose message field contains:

{"timestamp":"2023-03-08T22:05:16.231213+0000","flow_id":2162284216176514,"in_iface":"bond0","event_type":"dns","src_ip":"172.16.1.99","src_port":56848,"dest_ip":"149.112.112.112","dest_port":53,"proto":"UDP","community_id":"1:OYClLdZhxYwkwGR/8ZG5zzvTGDw=","dns":{"version":2,"type":"answer","id":47410,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"sbqmsa.wiki","rrtype":"A","rcode":"NOERROR","grouped":{"A":["188.54.114.192"]}}}

but the outer JSON event record contains no dns.answers.* fields at all.

Looking at /opt/so/conf/elasticsearch/ingest/suricata.dns, I would expect to see a populated dns.answers.data field.

{
  "description" : "suricata.dns",
  "processors" : [
    ...
    { "rename":         { "field": "message2.grouped.A",        "target_field": "dns.answers.data",             "ignore_missing": true  } },
    { "rename":         { "field": "message2.grouped.CNAME",    "target_field": "dns.answers.name",             "ignore_missing": true  } },
    ....
  ]
}

I would sure appreciate advice on how to get this working again.

Thanks,
Kevin

[dougburks]

I've created an issue for this:
#10117

[branchnetconsulting]

Thanks, Doug!