Add missing support for latency check in suspicious transformer #304
Conversation
- Move the suspicious transformer down the list since we need latency information processed earlier.
- Discard QUERY packets to avoid double accounting.
- Increase score if latency is higher than threshold.
|
@dmachard Would it make sense to have QUERY/REPLY defined as constants in dnsutils? I see there's already constants for DNSTAP_OPERATION_* but those are not strictly dnstap-related if used for dm.DNS.Type? Edit: Looks like "go lint" is telling me to do it so I'll do this for the purpose of the test but it might be used in other parts of the codebase. |
|
Thanks for this pull request, just take in account my preview comment. You can discard queries with the filtering transform, it's not sufficient in your case ? Otherwise, the tranforms processing order is not really efficient. We need to find a way to properly set the order in future version. |
I agree, there should probably be something better to order modules. This is a quick fix. A better solution would be a lot more complex. |