cancel
Showing results for 
Search instead for 
Did you mean: 

How to Set Up and Use DNS Logs in the Mcafee ESM

Introduction


DNS logs are an excellent source of data within an organization. It can be automatically correlated with other threat intelligence within the McAfee ESM and provide alerts when suspicious activity is detected.


There are many sources of threat intelligence that the McAfee ESM can gather, from the built in Global Threat Intelligence watchlists to importing IOCs and threat feeds .


In this document, we'll take a look at how to configure a Microsoft DNS server to send the DNS logs over to the McAfee ESM for analysis and provide useful security information.


Setting up the DNS Server as a Data Source for the McAfee ESM


The first step is to enable the DNS logs on the Microsoft DNS Server. On your Microsoft DNS Server, perform the following:

  1. Open the Domain Name System Microsoft Management Console (DNS MMC) snapin.
  2. Click Start, Programs, Administrative Tools, and then DNS.
  3. From the DNS Server, right-click the server and select Properties submenu.
  4. The Properties pop-window will appear on your screen.
  5. Select the Debug Logging tab and the Log packets debugging check box, respectively.
  6. Ensure that the Incoming, UDP, Queries/Transfer, and Request check boxes are selected.
  7. File is located at: systemroot\System32\Dns\Dns.log

01.png

Next, configure the McAfee SIEM Collector to send the DNS logs over to the McAfee SIEM.

Download the collector from the McAfee product download site.

http://www.mcafee.com/us/downloads/downloads.aspx

After the collector is installed, open the McAfee SIEM Collector Management Utility.

For the Receiver options, enter your ESM Receiver IP address:

02.png

Under the Event Collectors, right click on it and create a new group. I named my group Microsoft.

In the group options, enter your credentials for the Windows Server. These credentials are to access the DNS logs.

03.png

Right click on your group and click on Add Host. This will be the settings for your host and collector. Enter your Host Name/IP at the top.

Next, create and name a new configuration and enter the details for your DNS log. We're going to tail the end of the log file and send it to the McAfee ESM.

Log Directory: C:\Windows\System32\dns

Log File: dns.log

Tail Mode: End of file

Enabled: Checked

04.png

Great, now that the DNS Server and collector are set up, we will want to add this as a device on the McAfee ESM.

Setting up the McAfee ESM Receiver


  1. Select the Receiver where you will be adding the data source.
  2. After selecting the Receiver, click the “Add Data Source” icon.


05.png


On the Data Source Screen


Data Source Vendor – Microsoft

Data Source Model – Windows DNS (ASP)

Data Format – Default

Data Retrieval – MEF

Enabled: Parsing/Logging/SNMP Trap – <Default>

Name – Name of data source

IP Address/Hostname – The IP address and host name associated with the data source device (IP must match that of the SIEM collector’s)

Host ID – Host ID associated with the SIEM Collector log tail configuration if applicable

Support Generic Syslogs – Do nothing

Time Zone – Time zone of data being sent.


06.png


Utilizing the Data


Now that you have the DNS data in your McAfee ESM, you can gather very useful information from the logs.


McAfee ESM includes Content Packs which include prepackaged sets of views, alarms, reports, watchlists,  variables, and correlation rules. One of the available content packs is the DNS Content Pack, which can be downloaded in the McAfee ESM by going to the Content Pack section in the System Properties > Click Browse > and then select the DNS Content Pack and click install


08.png

08.png

After the DNS Content Pack is installed, we will modify one of the Correlation Rules to fit our environment.

First, go to the correlation rules section by clicking on the Correlation icon in the top right.


09.png


Next, select the "DNS - Communication with Malicious Host - Event or Flow" rule and use the  Edit Menu drop-down and select Copy and then Open it up again and select Paste. This will create a duplicate of the event.


10.png


Now, select the newly created correlation rule and go to Edit > Modify.


First, let's change the Name of this correlation rule by putting a Modified at the end. Next, click on the drop-down in the filter of the rule and select Edit.


11.png


Uncheck the Flows option and click on the Add button on the right.


12.png


We're going to match this correlation rule with the event "Win_DNS A Query Sent", which includes the client's IP address for DNS requests. The Signature ID of this event is 266-1013188. When we add it, it should look like this.


13.png


Now, we'll want to remove the Destination Port by selecting it and clicking Delete.


14.png


Okay, now we have our correlation rule set up. This rule will trigger any time a client communicates with a malicious host. When you look at the rule, make note of the Signature ID of the rule (your Signature ID for your newly created rule will be different than mine). We will use it to create an alarm which will automatically notify you if this rule is triggered.


15.png


There are also other Correlation Rules built into the DNS Content Pack that can provide you with important events. Some of them are:


  • DNS - Multiple Recon Events from a Local Host
  • DNS - Multiple Recon Events from a Remote Host
  • DNS - Possible DNS Amplification Attack
  • DNS - Possible DNS connection or Unauthorized DNS server
  • DNS - Traffic with a Passive DNS known Malware Domain


Content Packs can also be updated with new rules and other elements in the future.


Creating an Alarm


Using the correlation rules, you can create an alarm to alert you whenever there is suspicious activity. You will want to be careful and not create too many low value alarms because the signal to noise ratio will be too high and you'll just end up ignoring all of them, even if there is critical alert. That being said, alarms are helpful to notify you if an important event is occurring.


To create an alarm, go to your System Information panel and click Alarms, then click Add

Enter a name such as "Client Communicating with Malicious Host"


16.png


Now, click on the Condition tab. For the Type, select Internal Event Match

For the Field, select Signature ID

For the Value, enter the Signature ID of your Correlation Rule


17.png


For the Devices tab, select your correlation device.


18.png


In the Actions tab, check the Send Message: box and configure it to send it to your administrators.


19.png


After that, you can also add an escalation if no one acknowledges the alarm within a certain period of time.


20.png


After you've configured the alarm, just click finish. Now, anytime the correlation rule is triggered, it will automatically send out an email notifying you of the incident.

Tags (1)
Comments

This is great for those using a Windows DNS server.  What about those of us using a Linux BIND solution, such as Men & Mice?  I can see us using the Linux collector, but what logs would we tail?  Just queries?

Dan

BIND logs are supported under the Unix | Linux parser rules. Without knowledge of Men and Mice specifically, I can say that you can toggle bind query logging by typing "rndc querylog". If you need encryption, you can use the Linux collector, otherwise syslog is fine. If you really want to dig into BIND logging, you can use something like the excerpt below. For the first couple of categories, including queries, I drop pipe them to syslog and they end up in my messages file and forwarded. With the files broken out you have an opportunity to see the events grouped and more easily determine if they would be relevant to any of your use cases.

Query logs are good for use cases like finding malware/botnets/C&C/FastFlux and also direct attacks such as the UDP DOS that leaves "ANY TKEY" in the logs as evidence (or crashes it if it's unpatched).

root@krampus:/var/log/named# cat /etc/bind/named.conf.logging

logging {

    channel default_file {

        file "/var/log/named/default.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel general_file {

       syslog daemon;

//      file "/var/log/named/general.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel dnssec_file {

        syslog local1;

//     file "/var/log/named/dnssec.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel security_file {

        syslog local1;

//     file "/var/log/named/security.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel queries_file {

       syslog local2;

//      file "/var/log/named/queries.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel database_file {

        file "/var/log/named/database.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel config_file {

        file "/var/log/named/config.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel resolver_file {

        file "/var/log/named/resolver.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel xfer-in_file {

        file "/var/log/named/xfer-in.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel xfer-out_file {

        file "/var/log/named/xfer-out.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel notify_file {

        file "/var/log/named/notify.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel client_file {

        file "/var/log/named/client.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel unmatched_file {

        file "/var/log/named/unmatched.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel network_file {

        file "/var/log/named/network.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel update_file {

        file "/var/log/named/update.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel dispatch_file {

        file "/var/log/named/dispatch.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel lame-servers_file {

        file "/var/log/named/lame-servers.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    category default { default_file; };

    category general { general_file; };

    category database { database_file; };

    category security { security_file; };

    category config { config_file; };

    category resolver { resolver_file; };

    category xfer-in { xfer-in_file; };

    category xfer-out { xfer-out_file; };

    category notify { notify_file; };

    category client { client_file; };

    category unmatched { unmatched_file; };

    category queries { queries_file; };

    category network { network_file; };

    category update { update_file; };

    category dispatch { dispatch_file; };

    category dnssec { dnssec_file; };

    category lame-servers { lame-servers_file; };

};

Version history
Revision #:
1 of 1
Last update:
‎11-18-2015 03:28 PM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community