DNS logs are an excellent source of data within an organization. It can be automatically correlated with other threat intelligence within the McAfee ESM and provide alerts when suspicious activity is detected.
In this document, we'll take a look at how to configure a Microsoft DNS server to send the DNS logs over to the McAfee ESM for analysis and provide useful security information.
Setting up the DNS Server as a Data Source for the McAfee ESM
The first step is to enable the DNS logs on the Microsoft DNS Server. On your Microsoft DNS Server, perform the following:
- Open the Domain Name System Microsoft Management Console (DNS MMC) snapin.
- Click Start, Programs, Administrative Tools, and then DNS.
- From the DNS Server, right-click the server and select Properties submenu.
- The Properties pop-window will appear on your screen.
- Select the Debug Logging tab and the Log packets debugging check box, respectively.
- Ensure that the Incoming, UDP, Queries/Transfer, and Request check boxes are selected.
- File is located at: systemroot\System32\Dns\Dns.log
Next, configure the McAfee SIEM Collector to send the DNS logs over to the McAfee SIEM.
Download the collector from the McAfee product download site.
After the collector is installed, open the McAfee SIEM Collector Management Utility.
For the Receiver options, enter your ESM Receiver IP address:
Under the Event Collectors, right click on it and create a new group. I named my group Microsoft.
In the group options, enter your credentials for the Windows Server. These credentials are to access the DNS logs.
Right click on your group and click on Add Host. This will be the settings for your host and collector. Enter your Host Name/IP at the top.
Next, create and name a new configuration and enter the details for your DNS log. We're going to tail the end of the log file and send it to the McAfee ESM.
Log Directory: C:\Windows\System32\dns
Log File: dns.log
Tail Mode: End of file
Great, now that the DNS Server and collector are set up, we will want to add this as a device on the McAfee ESM.
Setting up the McAfee ESM Receiver
- Select the Receiver where you will be adding the data source.
- After selecting the Receiver, click the “Add Data Source” icon.
On the Data Source Screen
Data Source Vendor – Microsoft
Data Source Model – Windows DNS (ASP)
Data Format – Default
Data Retrieval – MEF
Enabled: Parsing/Logging/SNMP Trap – <Default>
Name – Name of data source
IP Address/Hostname – The IP address and host name associated with the data source device (IP must match that of the SIEM collector’s)
Host ID – Host ID associated with the SIEM Collector log tail configuration if applicable
Support Generic Syslogs – Do nothing
Time Zone – Time zone of data being sent.
Utilizing the Data
Now that you have the DNS data in your McAfee ESM, you can gather very useful information from the logs.
McAfee ESM includes Content Packs which include prepackaged sets of views, alarms, reports, watchlists, variables, and correlation rules. One of the available content packs is the DNS Content Pack, which can be downloaded in the McAfee ESM by going to the Content Pack section in the System Properties > Click Browse > and then select the DNS Content Pack and click install
After the DNS Content Pack is installed, we will modify one of the Correlation Rules to fit our environment.
First, go to the correlation rules section by clicking on the Correlation icon in the top right.
Next, select the "DNS - Communication with Malicious Host - Event or Flow" rule and use the Edit Menu drop-down and select Copy and then Open it up again and select Paste. This will create a duplicate of the event.
Now, select the newly created correlation rule and go to Edit > Modify.
First, let's change the Name of this correlation rule by putting a Modified at the end. Next, click on the drop-down in the filter of the rule and select Edit.
Uncheck the Flows option and click on the Add button on the right.
We're going to match this correlation rule with the event "Win_DNS A Query Sent", which includes the client's IP address for DNS requests. The Signature ID of this event is 266-1013188. When we add it, it should look like this.
Now, we'll want to remove the Destination Port by selecting it and clicking Delete.
Okay, now we have our correlation rule set up. This rule will trigger any time a client communicates with a malicious host. When you look at the rule, make note of the Signature ID of the rule (your Signature ID for your newly created rule will be different than mine). We will use it to create an alarm which will automatically notify you if this rule is triggered.
There are also other Correlation Rules built into the DNS Content Pack that can provide you with important events. Some of them are:
- DNS - Multiple Recon Events from a Local Host
- DNS - Multiple Recon Events from a Remote Host
- DNS - Possible DNS Amplification Attack
- DNS - Possible DNS connection or Unauthorized DNS server
- DNS - Traffic with a Passive DNS known Malware Domain
Content Packs can also be updated with new rules and other elements in the future.
Creating an Alarm
Using the correlation rules, you can create an alarm to alert you whenever there is suspicious activity. You will want to be careful and not create too many low value alarms because the signal to noise ratio will be too high and you'll just end up ignoring all of them, even if there is critical alert. That being said, alarms are helpful to notify you if an important event is occurring.
To create an alarm, go to your System Information panel and click Alarms, then click Add
Enter a name such as "Client Communicating with Malicious Host"
Now, click on the Condition tab. For the Type, select Internal Event Match
For the Field, select Signature ID
For the Value, enter the Signature ID of your Correlation Rule
For the Devices tab, select your correlation device.
In the Actions tab, check the Send Message: box and configure it to send it to your administrators.
After that, you can also add an escalation if no one acknowledges the alarm within a certain period of time.
After you've configured the alarm, just click finish. Now, anytime the correlation rule is triggered, it will automatically send out an email notifying you of the incident.