Update error codes for sysmon DNS (elastic#16040)

This generates a list of error numbers / symbolic names from winerror.h. I included errors that began with "DNS_" and some additional error codes as reported in elastic#15685. Fixes elastic#15685 (cherry picked from commit 8f5d755)
andrewkroh · Mar 10, 2020 · 33dc5a2 · 33dc5a2
1 parent eeddacf
commit 33dc5a2
Show file tree

Hide file tree

Showing 3 changed files with 259 additions and 57 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -300,6 +300,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Winlogbeat*
 
+- Add more DNS error codes to the Sysmon module. {issue}15685[15685]
 
 ==== Deprecated
 

diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
@@ -17,74 +17,45 @@ var sysmon = (function () {
     var processor = require("processor");
     var winlogbeat = require("winlogbeat");
 
-    // Windows error codes for DNS.
-    // https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--9000-11999-
+    // Windows error codes for DNS. This list was generated using
+    // 'go run gen_dns_error_codes.go'.
     var dnsQueryStatusCodes = {
         "0": "SUCCESS",
-        "2329": "DNS_ERROR_RCODE_FORMAT_ERROR",
-        "2330": "DNS_ERROR_RCODE_NXRRSET",
-        "2331": "DNS_ERROR_RCODE_NOTAUTH",
-        "2332": "DNS_ERROR_RCODE_NOTZONE",
-        "2338": "DNS_ERROR_RCODE_BADSIG",
-        "2339": "DNS_ERROR_RCODE_BADKEY",
-        "2390": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS",
-        "2391": "DNS_ERROR_UNSUPPORTED_ALGORITHM",
-        "2392": "DNS_ERROR_INVALID_KEY_SIZE",
-        "2393": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE",
-        "2394": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION",
-        "2395": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR",
-        "2396": "DNS_ERROR_UNEXPECTED_CNG_ERROR",
-        "2397": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION",
-        "2398": "DNS_ERROR_KSP_NOT_ACCESSIBLE",
-        "2399": "DNS_ERROR_TOO_MANY_SKDS",
-        "2520": "DNS_ERROR_RCODE",
-        "2521": "DNS_ERROR_UNSECURE_PACKET",
-        "2522": "DNS_REQUEST_PENDING",
-        "2550": "DNS_ERROR_INVALID_IP_ADDRESS",
-        "2551": "DNS_ERROR_INVALID_PROPERTY",
-        "2552": "DNS_ERROR_TRY_AGAIN_LATER",
-        "2553": "DNS_ERROR_NOT_UNIQUE",
-        "2554": "DNS_ERROR_NON_RFC_NAME",
-        "2555": "DNS_STATUS_FQDN",
-        "2556": "DNS_STATUS_DOTTED_NAME",
-        "2557": "DNS_STATUS_SINGLE_PART_NAME",
-        "2558": "DNS_ERROR_INVALID_NAME_CHAR",
-        "2559": "DNS_ERROR_NUMERIC_NAME",
-        "2560": "DNS_ERROR_BACKGROUND_LOADING",
-        "2561": "DNS_ERROR_NOT_ALLOWED_ON_RODC",
-        "2562": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME",
-        "2563": "DNS_ERROR_DELEGATION_REQUIRED",
-        "2564": "DNS_ERROR_INVALID_POLICY_TABLE",
-        "2581": "DNS_ERROR_ZONE_DOES_NOT_EXIST",
-        "2582": "DNS_ERROR_NO_ZONE_INFO",
-        "2583": "DNS_ERROR_INVALID_ZONE_OPERATION",
-        "2584": "DNS_ERROR_ZONE_CONFIGURATION_ERROR",
-        "2585": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD",
-        "2586": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS",
-        "2587": "DNS_ERROR_ZONE_LOCKED",
-        "2588": "DNS_ERROR_ZONE_CREATION_FAILED",
-        "2589": "DNS_ERROR_ZONE_ALREADY_EXISTS",
-        "2590": "DNS_ERROR_NEED_WINS_SERVERS",
-        "2591": "DNS_ERROR_NBSTAT_INIT_FAILED",
-        "2592": "DNS_ERROR_SOA_DELETE_INVALID",
-        "2593": "DNS_ERROR_FORWARDER_ALREADY_EXISTS",
-        "2594": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP",
-        "2595": "DNS_ERROR_ZONE_IS_SHUTDOWN",
-        "2596": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING",
-        "2617": "DNS_INFO_AXFR_COMPLETE",
-        "2618": "DNS_ERROR_AXFR",
-        "2619": "DNS_INFO_ADDED_LOCAL_WINS",
-        "2649": "DNS_STATUS_CONTINUE_NEEDED",
+        "5": "ERROR_ACCESS_DENIED",
+        "8": "ERROR_NOT_ENOUGH_MEMORY",
+        "13": "ERROR_INVALID_DATA",
+        "14": "ERROR_OUTOFMEMORY",
+        "123": "ERROR_INVALID_NAME",
+        "1214": "ERROR_INVALID_NETNAME",
+        "1223": "ERROR_CANCELLED",
+        "1460": "ERROR_TIMEOUT",
+        "4312": "ERROR_OBJECT_NOT_FOUND",
+        "9001": "DNS_ERROR_RCODE_FORMAT_ERROR",
         "9002": "DNS_ERROR_RCODE_SERVER_FAILURE",
         "9003": "DNS_ERROR_RCODE_NAME_ERROR",
         "9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED",
         "9005": "DNS_ERROR_RCODE_REFUSED",
         "9006": "DNS_ERROR_RCODE_YXDOMAIN",
         "9007": "DNS_ERROR_RCODE_YXRRSET",
+        "9008": "DNS_ERROR_RCODE_NXRRSET",
+        "9009": "DNS_ERROR_RCODE_NOTAUTH",
+        "9010": "DNS_ERROR_RCODE_NOTZONE",
+        "9016": "DNS_ERROR_RCODE_BADSIG",
+        "9017": "DNS_ERROR_RCODE_BADKEY",
         "9018": "DNS_ERROR_RCODE_BADTIME",
         "9101": "DNS_ERROR_KEYMASTER_REQUIRED",
         "9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE",
         "9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1",
+        "9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS",
+        "9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM",
+        "9106": "DNS_ERROR_INVALID_KEY_SIZE",
+        "9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE",
+        "9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION",
+        "9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR",
+        "9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR",
+        "9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION",
+        "9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE",
+        "9113": "DNS_ERROR_TOO_MANY_SKDS",
         "9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD",
         "9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET",
         "9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS",
@@ -105,19 +76,54 @@ var sysmon = (function () {
         "9501": "DNS_INFO_NO_RECORDS",
         "9502": "DNS_ERROR_BAD_PACKET",
         "9503": "DNS_ERROR_NO_PACKET",
+        "9504": "DNS_ERROR_RCODE",
+        "9505": "DNS_ERROR_UNSECURE_PACKET",
+        "9506": "DNS_REQUEST_PENDING",
         "9551": "DNS_ERROR_INVALID_TYPE",
+        "9552": "DNS_ERROR_INVALID_IP_ADDRESS",
+        "9553": "DNS_ERROR_INVALID_PROPERTY",
+        "9554": "DNS_ERROR_TRY_AGAIN_LATER",
+        "9555": "DNS_ERROR_NOT_UNIQUE",
+        "9556": "DNS_ERROR_NON_RFC_NAME",
+        "9557": "DNS_STATUS_FQDN",
+        "9558": "DNS_STATUS_DOTTED_NAME",
+        "9559": "DNS_STATUS_SINGLE_PART_NAME",
+        "9560": "DNS_ERROR_INVALID_NAME_CHAR",
+        "9561": "DNS_ERROR_NUMERIC_NAME",
         "9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER",
         "9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION",
         "9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS",
         "9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS",
         "9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL",
         "9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE",
+        "9568": "DNS_ERROR_BACKGROUND_LOADING",
+        "9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC",
+        "9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME",
+        "9571": "DNS_ERROR_DELEGATION_REQUIRED",
+        "9572": "DNS_ERROR_INVALID_POLICY_TABLE",
+        "9573": "DNS_ERROR_ADDRESS_REQUIRED",
+        "9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST",
+        "9602": "DNS_ERROR_NO_ZONE_INFO",
+        "9603": "DNS_ERROR_INVALID_ZONE_OPERATION",
+        "9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR",
+        "9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD",
+        "9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS",
+        "9607": "DNS_ERROR_ZONE_LOCKED",
+        "9608": "DNS_ERROR_ZONE_CREATION_FAILED",
+        "9609": "DNS_ERROR_ZONE_ALREADY_EXISTS",
         "9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS",
         "9611": "DNS_ERROR_INVALID_ZONE_TYPE",
         "9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP",
         "9613": "DNS_ERROR_ZONE_NOT_SECONDARY",
         "9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES",
         "9615": "DNS_ERROR_WINS_INIT_FAILED",
+        "9616": "DNS_ERROR_NEED_WINS_SERVERS",
+        "9617": "DNS_ERROR_NBSTAT_INIT_FAILED",
+        "9618": "DNS_ERROR_SOA_DELETE_INVALID",
+        "9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS",
+        "9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP",
+        "9621": "DNS_ERROR_ZONE_IS_SHUTDOWN",
+        "9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING",
         "9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE",
         "9652": "DNS_ERROR_INVALID_DATAFILE_NAME",
         "9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE",
@@ -145,6 +151,10 @@ var sysmon = (function () {
         "9720": "DNS_ERROR_NODE_IS_DNAME",
         "9721": "DNS_ERROR_DNAME_COLLISION",
         "9722": "DNS_ERROR_ALIAS_LOOP",
+        "9751": "DNS_INFO_AXFR_COMPLETE",
+        "9752": "DNS_ERROR_AXFR",
+        "9753": "DNS_INFO_ADDED_LOCAL_WINS",
+        "9801": "DNS_STATUS_CONTINUE_NEEDED",
         "9851": "DNS_ERROR_NO_TCPIP",
         "9852": "DNS_ERROR_NO_DNS_SERVERS",
         "9901": "DNS_ERROR_DP_DOES_NOT_EXIST",
@@ -153,6 +163,60 @@ var sysmon = (function () {
         "9904": "DNS_ERROR_DP_ALREADY_ENLISTED",
         "9905": "DNS_ERROR_DP_NOT_AVAILABLE",
         "9906": "DNS_ERROR_DP_FSMO_ERROR",
+        "9911": "DNS_ERROR_RRL_NOT_ENABLED",
+        "9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE",
+        "9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX",
+        "9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX",
+        "9915": "DNS_ERROR_RRL_INVALID_TC_RATE",
+        "9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE",
+        "9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE",
+        "9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS",
+        "9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST",
+        "9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED",
+        "9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME",
+        "9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE",
+        "9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS",
+        "9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST",
+        "9953": "DNS_ERROR_DEFAULT_ZONESCOPE",
+        "9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME",
+        "9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES",
+        "9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED",
+        "9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED",
+        "9958": "DNS_ERROR_INVALID_SCOPE_NAME",
+        "9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST",
+        "9960": "DNS_ERROR_DEFAULT_SCOPE",
+        "9961": "DNS_ERROR_INVALID_SCOPE_OPERATION",
+        "9962": "DNS_ERROR_SCOPE_LOCKED",
+        "9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS",
+        "9971": "DNS_ERROR_POLICY_ALREADY_EXISTS",
+        "9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST",
+        "9973": "DNS_ERROR_POLICY_INVALID_CRITERIA",
+        "9974": "DNS_ERROR_POLICY_INVALID_SETTINGS",
+        "9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED",
+        "9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST",
+        "9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS",
+        "9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST",
+        "9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS",
+        "9980": "DNS_ERROR_POLICY_LOCKED",
+        "9981": "DNS_ERROR_POLICY_INVALID_WEIGHT",
+        "9982": "DNS_ERROR_POLICY_INVALID_NAME",
+        "9983": "DNS_ERROR_POLICY_MISSING_CRITERIA",
+        "9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME",
+        "9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID",
+        "9986": "DNS_ERROR_POLICY_SCOPE_MISSING",
+        "9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED",
+        "9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED",
+        "9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED",
+        "9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET",
+        "9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL",
+        "9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL",
+        "9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE",
+        "9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN",
+        "9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE",
+        "9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY",
+        "10054": "WSAECONNRESET",
+        "10055": "WSAENOBUFS",
+        "10060": "WSAETIMEDOUT",
     };
 
     // Windows DNS record type constants.
@@ -889,7 +953,7 @@ var sysmon = (function () {
 
         process: function(evt) {
             var event_id = evt.Get("winlog.event_id");
-            var processor= this[event_id];
+            var processor = this[event_id];
             if (processor === undefined) {
                 throw "unexpected sysmon event_id";
             }

diff --git a/x-pack/winlogbeat/module/sysmon/gen_dns_error_codes.go b/x-pack/winlogbeat/module/sysmon/gen_dns_error_codes.go
@@ -0,0 +1,137 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+//+build ignore
+
+package main
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"encoding/csv"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"os/exec"
+	"strconv"
+	"strings"
+)
+
+// This file is used to generate the error code number to symbolic name mapping
+// used in the Sysmon DNS event pipeline. It uses the Microsoft Error Lookup
+// Tool to export the errors from winerror.h to CSV that extracts all of the
+// error names that begin with "DNS_". It dumps the data to stdout and it can
+// then be pasted in to the module.
+//
+// See https://docs.microsoft.com/en-us/windows/win32/debug/system-error-code-lookup-tool
+// for details about the Microsoft Error Lookup Tool.
+
+const microsoftErrorToolURL = "https://download.microsoft.com/download/4/3/2/432140e8-fb6c-4145-8192-25242838c542/Err_6.4.5/Err_6.4.5.exe"
+const microsoftErrorToolSha256 = "88739EC82BA16A0B4A3C83C1DD2FCA6336AD8E2A1E5F1238C085B1E86AB8834A"
+
+var includeCodes = []uint64{
+	5,
+	8,
+	13,
+	14,
+	123,
+	1214,
+	1223,
+	1460,
+	4312,
+	9560,
+	10054,
+	10055,
+	10060,
+}
+
+func main() {
+	hash, err := downloadErrorLookupTool()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if hash != microsoftErrorToolSha256 {
+		log.Fatalf("bad sha256 for exe file: expected=%s, got=%s", microsoftErrorToolSha256, hash)
+	}
+
+	r, err := exportErrors()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if err := parseCSV(r); err != nil {
+		log.Fatal(err)
+	}
+}
+
+// download MS Error Lookup tool.
+func downloadErrorLookupTool() (string, error) {
+	resp, err := http.Get("https://download.microsoft.com/download/4/3/2/432140e8-fb6c-4145-8192-25242838c542/Err_6.4.5/Err_6.4.5.exe")
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	f, err := os.Create("Err.exe")
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+
+	sha256Hash := sha256.New()
+	body := io.TeeReader(resp.Body, sha256Hash)
+	_, err = io.Copy(f, body)
+	return strings.ToUpper(hex.EncodeToString(sha256Hash.Sum(nil))), err
+}
+
+// exportErrors to CSV by executing Err.exe.
+func exportErrors() (io.Reader, error) {
+	csvOutput := new(bytes.Buffer)
+
+	cmd := exec.Command("Err.exe", "/winerror.h", "/:outputtoCSV")
+	cmd.Stdout = csvOutput
+	cmd.Stderr = os.Stderr
+
+	return csvOutput, cmd.Run()
+}
+
+// parseCSV parses the CSV and outputs the error codes that begin with "DNS_".
+func parseCSV(r io.Reader) error {
+	codes := map[uint64]struct{}{}
+	for _, ec := range includeCodes {
+		codes[ec] = struct{}{}
+	}
+
+	csvReader := csv.NewReader(r)
+	for {
+		fields, err := csvReader.Read()
+		if err != nil {
+			if err == io.EOF {
+				return nil
+			}
+			return err
+		}
+
+		if len(fields) != 4 {
+			return fmt.Errorf("parse error")
+		}
+
+		symbolicName := fields[1]
+		errorNumber, err := strconv.ParseUint(fields[0], 0, 64)
+		if err != nil {
+			log.Printf("Ignoring line because %v: %v", err, strings.Join(fields, ","))
+			continue
+		}
+
+		_, isIncludedCode := codes[errorNumber]
+		if isIncludedCode || strings.HasPrefix(symbolicName, "DNS_") {
+			fmt.Printf(`"%d": "%s",`+"\n", errorNumber, symbolicName)
+		}
+	}
+	return nil
+}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -300,6 +300,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

		Winlogbeat

		- Add more DNS error codes to the Sysmon module. {issue}15685[15685]

		==== Deprecated

Expand Down