Greetings fellow SIEM folk,
Currently I'm getting syslog info from an Infoblox appliance and only seeing these events from it:
Of these, the only one I sorta care about at present is the first one, but it only tells you what domain got resolved. It does tell you what host requested the resolution, nor does it say the IP to which the name resolved.
Q: Does anyone perchance know the incantations to get this additional requesting host and resolved responses info enabled on the Infoblox devices so they'll volunteer it to SIEM? If so, I'd love to pass such info on to our Infoblox admins.
Unnecessary but perhaps interesting detail:
I've pressed our Infoblox folks internally and they're saying an infoblox sales engineer is trying to suggest that I need their $35k reporter just to get detailed DNS logging out of their Trinzic DDI (DNS, DHCP, IP management) appliances? It was 4th quarter and sales organization folks at the time... are predictable and sometimes dim. As detailed DNS logging is something Microsoft domain controllers happily do for free if you turn on debug logging and specify a few checkboxes and a file name, I'd love to call BS on this "you need our reporter solution" pitch if at all possible.
My customary 10 minutes of googling revealed this bit of NIOS Admin manual, but I'm not sure if it's available in older versions of NIOS. This environment is currently running 6.8.6. ...
Q: does ESM know what to do with these captures with respect to grabbing vis scp/ftp and parsing these capture files?
Or am I missing a simpler way to get what I want via syslog?
Configuring the Capture of DNS Queries and Responses
You can capture DNS queries and responses for later analysis. A capture file for logging DNS queries and responses is compressed and sent every 10 minutes or when it reaches 100 MB in size, whichever comes sooner. The capture file is automatically exported to an FTP or SCP server that you specify. Note that capturing DNS queries and responses will affect system performance. Infoblox recommends that you constantly monitor the FTP or SCP server to ensure that it has sufficient disk space. DNS queries and responses are stored on the appliance if the FTP or SCP server becomes unreachable. The maximum storage capacity varies based on the appliance model. After reaching the maximum limit, the appliance overwrites the old data with the new one. For information about the maximum hard drive space, see Maximum Hard Drive Space used for DNS queries and Responses on page 1126. The amount of data captured depends on the DNS query rate and the domains that are included in or excluded from the capture. For information about how to exclude domains, see Excluding Domains From Query and Response Capture on page 1127.
You can capture queries to all domains or limit the capture to specific domains. You can apply the Bulk Add Domains feature to tailor query capture to a desired subset of domains or zones. While performing query captures, NIOS matches the specified domain name(s) and everything that belongs to the domain. For example, when you specify ‘foo.com’ as the domain, NIOS captures queries sent to ‘foo.com,’ ‘mail.foo.com,’ and ‘ftp.foo.com.’ NIOS captures queries to domains for which a name server is authoritative; it also captures recursive queries. Note that this feature does not support wildcard characters or regular expressions.
The DNS query generates a query message in the following format:
<dd-mmm-YYYY HH:MM:SS:uuu> <client IP>#<port> query: <query_Domain name> <class name> <type name> <- or +>[SETDC] <(name server ip)>
Sample DNS query message:
30-Apr-2013 13:35:02.187 client 10.120.20.32#42386: query: foo.com IN A + (100.90.80.102)
You can capture DNS responses for the DNS queries sent to the server. The amount of data captured depends on the domains that are included in or excluded from the capture. A DNS response is based on a query generated for a domain. In the response message, NIOS captures the TTL value of a resource record, the resource record type, and resource data.
Following are characteristics of the response messages: Capturing DNS Queries Capturing DNS Responses
• They log only the answer section and do not include the authority and additional sections. • Responses to all queries are logged, including queries with the type “ANY.” • The RR (resource record) list is not available at the end of a response message if rcode has a value other than NOERROR or if the response is NOERROR (nodata). • Responses to all RR types, including those records not managed by NIOS such as HINFO records, are logged. However, there are few exceptions for some of the scenarios with DNSSEC records. Infoblox Reporting Solution 1124 NIOS Administrator Guide (Rev. E) NIOS 6.10 • Responses containing DNSSEC RRs (DNSKEY, DS, NSEC, NSEC3, NSEC3PARAM, RRSIG) when queried for non-DNSSEC RRs are not logged. However, responses are logged if a DNSSEC RR is explicitly queried. • DNS updates are not logged in responses. DNS Response Message Format and Examples
ESM does have a facility to fetch events via SFTP/FTP, however my experience has been some what negative.
The receiver seems to loose the pointer quite often, and thus duplicates the log entries with every read. (as you can imagine it can cause some serious headaches)
However, if you are running 9.6 you can use NFS/CIFS which now has a tail function and a much more powerful filtering option. (see release notes)
Other wise the log collector agent does a good job tailing files on a *nix or windows platform.
Once you can confirm you have good connectivity, try setting the data source to unknown sources to see if it's missing any events and adjust the parser accordingly.
In order to get detailed query and response data into the syslog stream you will need to configure syslog accordingly to do so. See page 1015 entitled “Setting DNS Logging Categories” in the manual you linked for specifics on how that can be accomplished.
Syslog is not the most efficient messaging mechanism, and hundreds of QPS can easily drive the CPU up substantially. Enabling this doesn’t require any additional appliances or licenses.
The Query Capture feature uses a non-syslog mechanism to collect the query and response data, and requires significantly less resources. In current GA versions of NIOS the Query Capture feature is enabled with the reporting license, which is likely what your Sales Engineer was getting at.
One benefit to be aware of with the Reporting Appliance is that it can be a great mechanism to filter out “noise” going to your SIEM. For example using the Infoblox DNS Firewall you could use the reporting solution to only send CSVs of queries to known malicious domains.
You may also want to check out our Infoblox end user community at https://community.infoblox.com
We are using Infoblox for DHCP, not DNS, we are seeing a lot of different signatures, some of which we had to Filter Out coming to the ESM as they were to noisy when enabled on our Guest Wireless VLAN.
They are simply forwarding us 'Syslog - Informational', and our Data Source is setup using the "Infoblox > NIOS (ASP)" Data Source Model