Hoping someone can help here....
We are currently running DNS services on our Windows Active Directory servers (we do not currently have tools/tech in place to stream or otherwise capture this data...
See more...
Hoping someone can help here....
We are currently running DNS services on our Windows Active Directory servers (we do not currently have tools/tech in place to stream or otherwise capture this data on the wire --- roadmap item).
We are also running on Splunk Cloud with a Splunk HF (installed on a dedicated stand-alone system) & Splunk UF (installed on the Active Directory server(s) with DNS services running). So the data flows as follows:
Splunk UF (AD Server) -> Splunk HF (dedicated box) -> Splunk Cloud
Using this approach, I am able to successfully get the data in to Splunk Cloud. My issue revolves around parsing the necessary fields. I am most concerned about getting the DNS entry itself (as part of the initial query) as well as the IP address returned in the DNS response. Below I have included the raw data, the inputs.conf, props.conf, and transforms.conf. Please let me know what I am missing as I am at a loss at this point.
========
=======
======DNS Query Raw Data======
8/9/2021 7:19:32 AM 1750 PACKET 00000200616CA100 UDP Rcv ::1 1bf5 Q [0001 D NOERROR] A (27)vm3-proxy-pta-NCUS-CHI01P-2(9)connector(3)his(10)msappproxy(3)net(0) UDP question info at 00000200616CA100 Socket = 828 Remote addr ::1, port 62839 Time Query=229843, Queued=0, Expire=0 Buf length = 0x0fa0 (4000) Msg length = 0x004a (74) Message: XID 0x1bf5 Flags 0x0100 QR 0 (QUESTION) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 0 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 0 NSCOUNT 0 ARCOUNT 0 QUESTION SECTION: Offset = 0x000c, RR count = 0 QTYPE A (1) QCLASS 1 ANSWER SECTION: empty AUTHORITY SECTION: empty ADDITIONAL SECTION: empty
======DNS Response Raw Data======
8/9/2021 7:19:10 AM 1750 PACKET 000002006188FCC0 UDP Snd ::1 196c R Q [8081 DR NOERROR] A (27)vm3-proxy-pta-NCUS-CHI01P-2(9)connector(3)his(10)msappproxy(3)net(0) UDP response info at 000002006188FCC0 Socket = 828 Remote addr ::1, port 58618 Time Query=229821, Queued=229822, Expire=229825 Buf length = 0x0200 (512) Msg length = 0x00bb (187) Message: XID 0x196c Flags 0x8180 QR 1 (RESPONSE) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 2 NSCOUNT 0 ARCOUNT 0 QUESTION SECTION: Offset = 0x000c, RR count = 0 QTYPE A (1) QCLASS 1 ANSWER SECTION: Offset = 0x004a, RR count = 0 TYPE CNAME (5) CLASS 1 TTL 241 DLEN 85 DATA Offset = 0x00ab, RR count = 1 TYPE A (1) CLASS 1 TTL 7 DLEN 4 DATA 20.80.38.248 AUTHORITY SECTION: empty ADDITIONAL SECTION: Empty
======UF inputs.conf======
[monitor://c:\windows\system32\dns\dns.log] disabled = 0 index = dns sourcetype = windows:dns
======UF props.conf======
[windows:dns] SHOULD_LINEMERGE = True BREAK_ONLY_BEFORE_DATE = True EXTRACT-Domain = (?i) .*? \.(?P<Domain>[-a-zA-Z0-9@:%_\+.~#?;//=]{2,256}\.[a-z]{2,6}) EXTRACT-src=(?i) [Rcv|Snd] (?P<source_address>\d+\.\d+\.\d+\.\d+) EXTRACT-Threat_ID,Context,Int_packet_ID,proto,mode,Xid,type,Opcode,Flags_Hex,char_code,ResponseCode,question_type = .+?[AM|PM]\s+(?<Threat_ID>\w+)\s+(?<Context>\w+)\s+(?<Int_packet_ID>\w+)\s+(?<proto>\w+)\s+(?<mode>\w+)\s+\d+\.\d+\.\d+\.\d+\s+(?<Xid>\w+)\s(?<type>(?:R)?)\s+(?<Opcode>\w+)\s+\[(?<Flags_Hex>\w+)\s(?<char_codes>.+?)(?<ResponseCode>[A-Z]+)\]\s+(?<question_type>\w+)\s EXTRACT-Authoritative_Answer,TrunCation,Recursion_Desired,Recursion_Available = (?m) .+?Message:\W.+\W.+\W.+\W.+\W.+AA\s+(?<Authoritative_Answer>\d)\W.+TC\s+(?<TrunCation>\d)\W.+RD\s+(?<Recursion_Desired>\d)\W.+RA\s+(?<Recursion_Available>\d) SEDCMD-win_dns = s/\(\d+\)/./g
======HF inputs.conf======
[splunktcp://:5143] connection_host = x.x.x.x (masking IP) index = dns disabled = 0
======HF props.conf======
[windows:dns] EXTRACT-Domain = (?i) .*? \.(?<Domain>[-a-zA-Z0-9@:%_\+.~#?;//=]{2,256}\.[a-z]{2,6}) EXTRACT-windows_dns_000001 = (?<thread_id>[0-9A-Fa-f]{4}) (?<Context>[^\s]+)\s+(?<internal_packet_id>[0-9A-Fa-f]+) (?<protocol>UDP|TCP) (?<direction_flag>Snd|Rcv) (?<client_ip>[0-9\.]+)\s+(?<xid>[0-9A-Fa-f]+) (?<type>[R\s]{1}) (?<opcode>[A-Z\?]{1}) \[(?<flags>[0-9A-Fa-f]+) (?<flagAuthoritativeAnswer>[A\s]{1})(?<flagTrucatedResponse>[T\s]{1})(?<flagRecursionDesire>[D\s]{1})(?<flagRecursionAvailable>[R\s]{1})\s+(?<response_code>[^\]]+)\]\s+(?<query_type>[^\s]+)\s+(?<query_name>[^/]+) EXTRACT-windows_dns_000010 = ([a-zA-Z0-9\-\_]+)\([0-9]+\)(?<tld>[a-zA-Z0-9\-\_]+)\(0\)$ EXTRACT-windows_dns_000020 = \([0-9]+\)(?<domain>[a-zA-Z0-9\-\_]+\([0-9]+\)[a-zA-Z0-9\-\_]+)\(0\)$ EXTRACT-windows_dns_000030 = \s\([0-9]+\)(?<hostname>[a-zA-Z0-9\-\_]+)\(0\)$ EVAL-domain = replace(domain, "([\(0-9\)]+)", ".") EVAL-query_domain = ltrim(replace(query_name, "(\([\d]+\))", "."),".") EVAL-type_msg = case(type="R", "Response", isnull(type), "Query") EVAL-opcode_msg = case(opcode="Q", "Standard Query", opcode="N", "Notify", opcode="U", "Update", opcode="?", "Unknown") EVAL-direction = case(direction_flag="Snd", "Send", direction_flag="Rcv", "Received") EVAL-decID = tonumber(xid, 16) REPORT-win_dns = dns_string_lengths, dns_strings REPORT-extractdoms = extractdoms REPORT-extractips = extractips
======HF transforms.conf======
[dns_string_lengths] REGEX = \((\d+)\) FORMAT = strings_len::$1 MV_ADD = true REPEAT_MATCH = true
[dns_strings] REGEX = \([0-9]+\)([a-zA-Z0-9\-\_]+)\([0-9]+\) FORMAT = strings::$1 MV_ADD = true REPEAT_MATCH = true
[extractdoms] SOURCE_KEY = query_domain REGEX = Name\s+\"(?<NewDomain>[a-zA-Z0-9\[\]\(\)\-\.\_]+\"\n) FORMAT = strings::$1 MV_ADD = true REPEAT_MATCH = true
[extractips] REGEX = DATA\s+(?<Answers>[0-9\.]+\n) FORMAT = strings::$1 MV_ADD = true REPEAT_MATCH = true