Skip to content

Commit

Permalink
Update error codes for sysmon DNS (elastic#16040)
Browse files Browse the repository at this point in the history
This generates a list of error numbers / symbolic names from winerror.h. I included errors that began with "DNS_" and some additional error codes as reported in elastic#15685.

Fixes elastic#15685

(cherry picked from commit 8f5d755)
  • Loading branch information
andrewkroh committed Mar 10, 2020
1 parent eeddacf commit 33dc5a2
Show file tree
Hide file tree
Showing 3 changed files with 259 additions and 57 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

*Winlogbeat*

- Add more DNS error codes to the Sysmon module. {issue}15685[15685]

==== Deprecated

Expand Down
178 changes: 121 additions & 57 deletions x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
Original file line number Diff line number Diff line change
Expand Up @@ -17,74 +17,45 @@ var sysmon = (function () {
var processor = require("processor");
var winlogbeat = require("winlogbeat");

// Windows error codes for DNS.
// https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--9000-11999-
// Windows error codes for DNS. This list was generated using
// 'go run gen_dns_error_codes.go'.
var dnsQueryStatusCodes = {
"0": "SUCCESS",
"2329": "DNS_ERROR_RCODE_FORMAT_ERROR",
"2330": "DNS_ERROR_RCODE_NXRRSET",
"2331": "DNS_ERROR_RCODE_NOTAUTH",
"2332": "DNS_ERROR_RCODE_NOTZONE",
"2338": "DNS_ERROR_RCODE_BADSIG",
"2339": "DNS_ERROR_RCODE_BADKEY",
"2390": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS",
"2391": "DNS_ERROR_UNSUPPORTED_ALGORITHM",
"2392": "DNS_ERROR_INVALID_KEY_SIZE",
"2393": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE",
"2394": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION",
"2395": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR",
"2396": "DNS_ERROR_UNEXPECTED_CNG_ERROR",
"2397": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION",
"2398": "DNS_ERROR_KSP_NOT_ACCESSIBLE",
"2399": "DNS_ERROR_TOO_MANY_SKDS",
"2520": "DNS_ERROR_RCODE",
"2521": "DNS_ERROR_UNSECURE_PACKET",
"2522": "DNS_REQUEST_PENDING",
"2550": "DNS_ERROR_INVALID_IP_ADDRESS",
"2551": "DNS_ERROR_INVALID_PROPERTY",
"2552": "DNS_ERROR_TRY_AGAIN_LATER",
"2553": "DNS_ERROR_NOT_UNIQUE",
"2554": "DNS_ERROR_NON_RFC_NAME",
"2555": "DNS_STATUS_FQDN",
"2556": "DNS_STATUS_DOTTED_NAME",
"2557": "DNS_STATUS_SINGLE_PART_NAME",
"2558": "DNS_ERROR_INVALID_NAME_CHAR",
"2559": "DNS_ERROR_NUMERIC_NAME",
"2560": "DNS_ERROR_BACKGROUND_LOADING",
"2561": "DNS_ERROR_NOT_ALLOWED_ON_RODC",
"2562": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME",
"2563": "DNS_ERROR_DELEGATION_REQUIRED",
"2564": "DNS_ERROR_INVALID_POLICY_TABLE",
"2581": "DNS_ERROR_ZONE_DOES_NOT_EXIST",
"2582": "DNS_ERROR_NO_ZONE_INFO",
"2583": "DNS_ERROR_INVALID_ZONE_OPERATION",
"2584": "DNS_ERROR_ZONE_CONFIGURATION_ERROR",
"2585": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD",
"2586": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS",
"2587": "DNS_ERROR_ZONE_LOCKED",
"2588": "DNS_ERROR_ZONE_CREATION_FAILED",
"2589": "DNS_ERROR_ZONE_ALREADY_EXISTS",
"2590": "DNS_ERROR_NEED_WINS_SERVERS",
"2591": "DNS_ERROR_NBSTAT_INIT_FAILED",
"2592": "DNS_ERROR_SOA_DELETE_INVALID",
"2593": "DNS_ERROR_FORWARDER_ALREADY_EXISTS",
"2594": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP",
"2595": "DNS_ERROR_ZONE_IS_SHUTDOWN",
"2596": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING",
"2617": "DNS_INFO_AXFR_COMPLETE",
"2618": "DNS_ERROR_AXFR",
"2619": "DNS_INFO_ADDED_LOCAL_WINS",
"2649": "DNS_STATUS_CONTINUE_NEEDED",
"5": "ERROR_ACCESS_DENIED",
"8": "ERROR_NOT_ENOUGH_MEMORY",
"13": "ERROR_INVALID_DATA",
"14": "ERROR_OUTOFMEMORY",
"123": "ERROR_INVALID_NAME",
"1214": "ERROR_INVALID_NETNAME",
"1223": "ERROR_CANCELLED",
"1460": "ERROR_TIMEOUT",
"4312": "ERROR_OBJECT_NOT_FOUND",
"9001": "DNS_ERROR_RCODE_FORMAT_ERROR",
"9002": "DNS_ERROR_RCODE_SERVER_FAILURE",
"9003": "DNS_ERROR_RCODE_NAME_ERROR",
"9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED",
"9005": "DNS_ERROR_RCODE_REFUSED",
"9006": "DNS_ERROR_RCODE_YXDOMAIN",
"9007": "DNS_ERROR_RCODE_YXRRSET",
"9008": "DNS_ERROR_RCODE_NXRRSET",
"9009": "DNS_ERROR_RCODE_NOTAUTH",
"9010": "DNS_ERROR_RCODE_NOTZONE",
"9016": "DNS_ERROR_RCODE_BADSIG",
"9017": "DNS_ERROR_RCODE_BADKEY",
"9018": "DNS_ERROR_RCODE_BADTIME",
"9101": "DNS_ERROR_KEYMASTER_REQUIRED",
"9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE",
"9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1",
"9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS",
"9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM",
"9106": "DNS_ERROR_INVALID_KEY_SIZE",
"9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE",
"9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION",
"9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR",
"9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR",
"9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION",
"9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE",
"9113": "DNS_ERROR_TOO_MANY_SKDS",
"9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD",
"9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET",
"9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS",
Expand All @@ -105,19 +76,54 @@ var sysmon = (function () {
"9501": "DNS_INFO_NO_RECORDS",
"9502": "DNS_ERROR_BAD_PACKET",
"9503": "DNS_ERROR_NO_PACKET",
"9504": "DNS_ERROR_RCODE",
"9505": "DNS_ERROR_UNSECURE_PACKET",
"9506": "DNS_REQUEST_PENDING",
"9551": "DNS_ERROR_INVALID_TYPE",
"9552": "DNS_ERROR_INVALID_IP_ADDRESS",
"9553": "DNS_ERROR_INVALID_PROPERTY",
"9554": "DNS_ERROR_TRY_AGAIN_LATER",
"9555": "DNS_ERROR_NOT_UNIQUE",
"9556": "DNS_ERROR_NON_RFC_NAME",
"9557": "DNS_STATUS_FQDN",
"9558": "DNS_STATUS_DOTTED_NAME",
"9559": "DNS_STATUS_SINGLE_PART_NAME",
"9560": "DNS_ERROR_INVALID_NAME_CHAR",
"9561": "DNS_ERROR_NUMERIC_NAME",
"9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER",
"9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION",
"9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS",
"9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS",
"9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL",
"9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE",
"9568": "DNS_ERROR_BACKGROUND_LOADING",
"9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC",
"9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME",
"9571": "DNS_ERROR_DELEGATION_REQUIRED",
"9572": "DNS_ERROR_INVALID_POLICY_TABLE",
"9573": "DNS_ERROR_ADDRESS_REQUIRED",
"9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST",
"9602": "DNS_ERROR_NO_ZONE_INFO",
"9603": "DNS_ERROR_INVALID_ZONE_OPERATION",
"9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR",
"9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD",
"9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS",
"9607": "DNS_ERROR_ZONE_LOCKED",
"9608": "DNS_ERROR_ZONE_CREATION_FAILED",
"9609": "DNS_ERROR_ZONE_ALREADY_EXISTS",
"9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS",
"9611": "DNS_ERROR_INVALID_ZONE_TYPE",
"9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP",
"9613": "DNS_ERROR_ZONE_NOT_SECONDARY",
"9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES",
"9615": "DNS_ERROR_WINS_INIT_FAILED",
"9616": "DNS_ERROR_NEED_WINS_SERVERS",
"9617": "DNS_ERROR_NBSTAT_INIT_FAILED",
"9618": "DNS_ERROR_SOA_DELETE_INVALID",
"9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS",
"9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP",
"9621": "DNS_ERROR_ZONE_IS_SHUTDOWN",
"9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING",
"9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE",
"9652": "DNS_ERROR_INVALID_DATAFILE_NAME",
"9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE",
Expand Down Expand Up @@ -145,6 +151,10 @@ var sysmon = (function () {
"9720": "DNS_ERROR_NODE_IS_DNAME",
"9721": "DNS_ERROR_DNAME_COLLISION",
"9722": "DNS_ERROR_ALIAS_LOOP",
"9751": "DNS_INFO_AXFR_COMPLETE",
"9752": "DNS_ERROR_AXFR",
"9753": "DNS_INFO_ADDED_LOCAL_WINS",
"9801": "DNS_STATUS_CONTINUE_NEEDED",
"9851": "DNS_ERROR_NO_TCPIP",
"9852": "DNS_ERROR_NO_DNS_SERVERS",
"9901": "DNS_ERROR_DP_DOES_NOT_EXIST",
Expand All @@ -153,6 +163,60 @@ var sysmon = (function () {
"9904": "DNS_ERROR_DP_ALREADY_ENLISTED",
"9905": "DNS_ERROR_DP_NOT_AVAILABLE",
"9906": "DNS_ERROR_DP_FSMO_ERROR",
"9911": "DNS_ERROR_RRL_NOT_ENABLED",
"9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE",
"9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX",
"9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX",
"9915": "DNS_ERROR_RRL_INVALID_TC_RATE",
"9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE",
"9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE",
"9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS",
"9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST",
"9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED",
"9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME",
"9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE",
"9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS",
"9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST",
"9953": "DNS_ERROR_DEFAULT_ZONESCOPE",
"9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME",
"9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES",
"9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED",
"9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED",
"9958": "DNS_ERROR_INVALID_SCOPE_NAME",
"9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST",
"9960": "DNS_ERROR_DEFAULT_SCOPE",
"9961": "DNS_ERROR_INVALID_SCOPE_OPERATION",
"9962": "DNS_ERROR_SCOPE_LOCKED",
"9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS",
"9971": "DNS_ERROR_POLICY_ALREADY_EXISTS",
"9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST",
"9973": "DNS_ERROR_POLICY_INVALID_CRITERIA",
"9974": "DNS_ERROR_POLICY_INVALID_SETTINGS",
"9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED",
"9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST",
"9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS",
"9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST",
"9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS",
"9980": "DNS_ERROR_POLICY_LOCKED",
"9981": "DNS_ERROR_POLICY_INVALID_WEIGHT",
"9982": "DNS_ERROR_POLICY_INVALID_NAME",
"9983": "DNS_ERROR_POLICY_MISSING_CRITERIA",
"9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME",
"9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID",
"9986": "DNS_ERROR_POLICY_SCOPE_MISSING",
"9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED",
"9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED",
"9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED",
"9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET",
"9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL",
"9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL",
"9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE",
"9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN",
"9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE",
"9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY",
"10054": "WSAECONNRESET",
"10055": "WSAENOBUFS",
"10060": "WSAETIMEDOUT",
};

// Windows DNS record type constants.
Expand Down Expand Up @@ -889,7 +953,7 @@ var sysmon = (function () {

process: function(evt) {
var event_id = evt.Get("winlog.event_id");
var processor= this[event_id];
var processor = this[event_id];
if (processor === undefined) {
throw "unexpected sysmon event_id";
}
Expand Down
137 changes: 137 additions & 0 deletions x-pack/winlogbeat/module/sysmon/gen_dns_error_codes.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
// or more contributor license agreements. Licensed under the Elastic License;
// you may not use this file except in compliance with the Elastic License.

//+build ignore

package main

import (
"bytes"
"crypto/sha256"
"encoding/csv"
"encoding/hex"
"fmt"
"io"
"log"
"net/http"
"os"
"os/exec"
"strconv"
"strings"
)

// This file is used to generate the error code number to symbolic name mapping
// used in the Sysmon DNS event pipeline. It uses the Microsoft Error Lookup
// Tool to export the errors from winerror.h to CSV that extracts all of the
// error names that begin with "DNS_". It dumps the data to stdout and it can
// then be pasted in to the module.
//
// See https://docs.microsoft.com/en-us/windows/win32/debug/system-error-code-lookup-tool
// for details about the Microsoft Error Lookup Tool.

const microsoftErrorToolURL = "https://download.microsoft.com/download/4/3/2/432140e8-fb6c-4145-8192-25242838c542/Err_6.4.5/Err_6.4.5.exe"
const microsoftErrorToolSha256 = "88739EC82BA16A0B4A3C83C1DD2FCA6336AD8E2A1E5F1238C085B1E86AB8834A"

var includeCodes = []uint64{
5,
8,
13,
14,
123,
1214,
1223,
1460,
4312,
9560,
10054,
10055,
10060,
}

func main() {
hash, err := downloadErrorLookupTool()
if err != nil {
log.Fatal(err)
}

if hash != microsoftErrorToolSha256 {
log.Fatalf("bad sha256 for exe file: expected=%s, got=%s", microsoftErrorToolSha256, hash)
}

r, err := exportErrors()
if err != nil {
log.Fatal(err)
}

if err := parseCSV(r); err != nil {
log.Fatal(err)
}
}

// download MS Error Lookup tool.
func downloadErrorLookupTool() (string, error) {
resp, err := http.Get("https://download.microsoft.com/download/4/3/2/432140e8-fb6c-4145-8192-25242838c542/Err_6.4.5/Err_6.4.5.exe")
if err != nil {
return "", err
}
defer resp.Body.Close()

f, err := os.Create("Err.exe")
if err != nil {
return "", err
}
defer f.Close()

sha256Hash := sha256.New()
body := io.TeeReader(resp.Body, sha256Hash)
_, err = io.Copy(f, body)
return strings.ToUpper(hex.EncodeToString(sha256Hash.Sum(nil))), err
}

// exportErrors to CSV by executing Err.exe.
func exportErrors() (io.Reader, error) {
csvOutput := new(bytes.Buffer)

cmd := exec.Command("Err.exe", "/winerror.h", "/:outputtoCSV")
cmd.Stdout = csvOutput
cmd.Stderr = os.Stderr

return csvOutput, cmd.Run()
}

// parseCSV parses the CSV and outputs the error codes that begin with "DNS_".
func parseCSV(r io.Reader) error {
codes := map[uint64]struct{}{}
for _, ec := range includeCodes {
codes[ec] = struct{}{}
}

csvReader := csv.NewReader(r)
for {
fields, err := csvReader.Read()
if err != nil {
if err == io.EOF {
return nil
}
return err
}

if len(fields) != 4 {
return fmt.Errorf("parse error")
}

symbolicName := fields[1]
errorNumber, err := strconv.ParseUint(fields[0], 0, 64)
if err != nil {
log.Printf("Ignoring line because %v: %v", err, strings.Join(fields, ","))
continue
}

_, isIncludedCode := codes[errorNumber]
if isIncludedCode || strings.HasPrefix(symbolicName, "DNS_") {
fmt.Printf(`"%d": "%s",`+"\n", errorNumber, symbolicName)
}
}
return nil
}

0 comments on commit 33dc5a2

Please sign in to comment.