diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 5ad027d18be..cb0aa5f205f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -183,6 +183,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* +- Add more DNS error codes to the Sysmon module. {issue}15685[15685] ==== Deprecated diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 852688a4400..83f24193a66 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -17,74 +17,45 @@ var sysmon = (function () { var processor = require("processor"); var winlogbeat = require("winlogbeat"); - // Windows error codes for DNS. - // https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--9000-11999- + // Windows error codes for DNS. This list was generated using + // 'go run gen_dns_error_codes.go'. var dnsQueryStatusCodes = { "0": "SUCCESS", - "2329": "DNS_ERROR_RCODE_FORMAT_ERROR", - "2330": "DNS_ERROR_RCODE_NXRRSET", - "2331": "DNS_ERROR_RCODE_NOTAUTH", - "2332": "DNS_ERROR_RCODE_NOTZONE", - "2338": "DNS_ERROR_RCODE_BADSIG", - "2339": "DNS_ERROR_RCODE_BADKEY", - "2390": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS", - "2391": "DNS_ERROR_UNSUPPORTED_ALGORITHM", - "2392": "DNS_ERROR_INVALID_KEY_SIZE", - "2393": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE", - "2394": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION", - "2395": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR", - "2396": "DNS_ERROR_UNEXPECTED_CNG_ERROR", - "2397": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION", - "2398": "DNS_ERROR_KSP_NOT_ACCESSIBLE", - "2399": "DNS_ERROR_TOO_MANY_SKDS", - "2520": "DNS_ERROR_RCODE", - "2521": "DNS_ERROR_UNSECURE_PACKET", - "2522": "DNS_REQUEST_PENDING", - "2550": "DNS_ERROR_INVALID_IP_ADDRESS", - "2551": "DNS_ERROR_INVALID_PROPERTY", - "2552": "DNS_ERROR_TRY_AGAIN_LATER", - "2553": "DNS_ERROR_NOT_UNIQUE", - "2554": "DNS_ERROR_NON_RFC_NAME", - "2555": "DNS_STATUS_FQDN", - "2556": "DNS_STATUS_DOTTED_NAME", - "2557": "DNS_STATUS_SINGLE_PART_NAME", - "2558": "DNS_ERROR_INVALID_NAME_CHAR", - "2559": "DNS_ERROR_NUMERIC_NAME", - "2560": "DNS_ERROR_BACKGROUND_LOADING", - "2561": "DNS_ERROR_NOT_ALLOWED_ON_RODC", - "2562": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME", - "2563": "DNS_ERROR_DELEGATION_REQUIRED", - "2564": "DNS_ERROR_INVALID_POLICY_TABLE", - "2581": "DNS_ERROR_ZONE_DOES_NOT_EXIST", - "2582": "DNS_ERROR_NO_ZONE_INFO", - "2583": "DNS_ERROR_INVALID_ZONE_OPERATION", - "2584": "DNS_ERROR_ZONE_CONFIGURATION_ERROR", - "2585": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD", - "2586": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS", - "2587": "DNS_ERROR_ZONE_LOCKED", - "2588": "DNS_ERROR_ZONE_CREATION_FAILED", - "2589": "DNS_ERROR_ZONE_ALREADY_EXISTS", - "2590": "DNS_ERROR_NEED_WINS_SERVERS", - "2591": "DNS_ERROR_NBSTAT_INIT_FAILED", - "2592": "DNS_ERROR_SOA_DELETE_INVALID", - "2593": "DNS_ERROR_FORWARDER_ALREADY_EXISTS", - "2594": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP", - "2595": "DNS_ERROR_ZONE_IS_SHUTDOWN", - "2596": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING", - "2617": "DNS_INFO_AXFR_COMPLETE", - "2618": "DNS_ERROR_AXFR", - "2619": "DNS_INFO_ADDED_LOCAL_WINS", - "2649": "DNS_STATUS_CONTINUE_NEEDED", + "5": "ERROR_ACCESS_DENIED", + "8": "ERROR_NOT_ENOUGH_MEMORY", + "13": "ERROR_INVALID_DATA", + "14": "ERROR_OUTOFMEMORY", + "123": "ERROR_INVALID_NAME", + "1214": "ERROR_INVALID_NETNAME", + "1223": "ERROR_CANCELLED", + "1460": "ERROR_TIMEOUT", + "4312": "ERROR_OBJECT_NOT_FOUND", + "9001": "DNS_ERROR_RCODE_FORMAT_ERROR", "9002": "DNS_ERROR_RCODE_SERVER_FAILURE", "9003": "DNS_ERROR_RCODE_NAME_ERROR", "9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED", "9005": "DNS_ERROR_RCODE_REFUSED", "9006": "DNS_ERROR_RCODE_YXDOMAIN", "9007": "DNS_ERROR_RCODE_YXRRSET", + "9008": "DNS_ERROR_RCODE_NXRRSET", + "9009": "DNS_ERROR_RCODE_NOTAUTH", + "9010": "DNS_ERROR_RCODE_NOTZONE", + "9016": "DNS_ERROR_RCODE_BADSIG", + "9017": "DNS_ERROR_RCODE_BADKEY", "9018": "DNS_ERROR_RCODE_BADTIME", "9101": "DNS_ERROR_KEYMASTER_REQUIRED", "9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE", "9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1", + "9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS", + "9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM", + "9106": "DNS_ERROR_INVALID_KEY_SIZE", + "9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE", + "9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION", + "9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR", + "9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR", + "9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION", + "9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE", + "9113": "DNS_ERROR_TOO_MANY_SKDS", "9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD", "9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET", "9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS", @@ -105,19 +76,54 @@ var sysmon = (function () { "9501": "DNS_INFO_NO_RECORDS", "9502": "DNS_ERROR_BAD_PACKET", "9503": "DNS_ERROR_NO_PACKET", + "9504": "DNS_ERROR_RCODE", + "9505": "DNS_ERROR_UNSECURE_PACKET", + "9506": "DNS_REQUEST_PENDING", "9551": "DNS_ERROR_INVALID_TYPE", + "9552": "DNS_ERROR_INVALID_IP_ADDRESS", + "9553": "DNS_ERROR_INVALID_PROPERTY", + "9554": "DNS_ERROR_TRY_AGAIN_LATER", + "9555": "DNS_ERROR_NOT_UNIQUE", + "9556": "DNS_ERROR_NON_RFC_NAME", + "9557": "DNS_STATUS_FQDN", + "9558": "DNS_STATUS_DOTTED_NAME", + "9559": "DNS_STATUS_SINGLE_PART_NAME", + "9560": "DNS_ERROR_INVALID_NAME_CHAR", + "9561": "DNS_ERROR_NUMERIC_NAME", "9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER", "9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION", "9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS", "9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS", "9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL", "9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE", + "9568": "DNS_ERROR_BACKGROUND_LOADING", + "9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC", + "9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME", + "9571": "DNS_ERROR_DELEGATION_REQUIRED", + "9572": "DNS_ERROR_INVALID_POLICY_TABLE", + "9573": "DNS_ERROR_ADDRESS_REQUIRED", + "9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST", + "9602": "DNS_ERROR_NO_ZONE_INFO", + "9603": "DNS_ERROR_INVALID_ZONE_OPERATION", + "9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR", + "9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD", + "9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS", + "9607": "DNS_ERROR_ZONE_LOCKED", + "9608": "DNS_ERROR_ZONE_CREATION_FAILED", + "9609": "DNS_ERROR_ZONE_ALREADY_EXISTS", "9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS", "9611": "DNS_ERROR_INVALID_ZONE_TYPE", "9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP", "9613": "DNS_ERROR_ZONE_NOT_SECONDARY", "9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES", "9615": "DNS_ERROR_WINS_INIT_FAILED", + "9616": "DNS_ERROR_NEED_WINS_SERVERS", + "9617": "DNS_ERROR_NBSTAT_INIT_FAILED", + "9618": "DNS_ERROR_SOA_DELETE_INVALID", + "9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS", + "9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP", + "9621": "DNS_ERROR_ZONE_IS_SHUTDOWN", + "9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING", "9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE", "9652": "DNS_ERROR_INVALID_DATAFILE_NAME", "9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE", @@ -145,6 +151,10 @@ var sysmon = (function () { "9720": "DNS_ERROR_NODE_IS_DNAME", "9721": "DNS_ERROR_DNAME_COLLISION", "9722": "DNS_ERROR_ALIAS_LOOP", + "9751": "DNS_INFO_AXFR_COMPLETE", + "9752": "DNS_ERROR_AXFR", + "9753": "DNS_INFO_ADDED_LOCAL_WINS", + "9801": "DNS_STATUS_CONTINUE_NEEDED", "9851": "DNS_ERROR_NO_TCPIP", "9852": "DNS_ERROR_NO_DNS_SERVERS", "9901": "DNS_ERROR_DP_DOES_NOT_EXIST", @@ -153,6 +163,60 @@ var sysmon = (function () { "9904": "DNS_ERROR_DP_ALREADY_ENLISTED", "9905": "DNS_ERROR_DP_NOT_AVAILABLE", "9906": "DNS_ERROR_DP_FSMO_ERROR", + "9911": "DNS_ERROR_RRL_NOT_ENABLED", + "9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE", + "9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX", + "9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX", + "9915": "DNS_ERROR_RRL_INVALID_TC_RATE", + "9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE", + "9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE", + "9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS", + "9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST", + "9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED", + "9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME", + "9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE", + "9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS", + "9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST", + "9953": "DNS_ERROR_DEFAULT_ZONESCOPE", + "9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME", + "9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES", + "9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED", + "9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED", + "9958": "DNS_ERROR_INVALID_SCOPE_NAME", + "9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST", + "9960": "DNS_ERROR_DEFAULT_SCOPE", + "9961": "DNS_ERROR_INVALID_SCOPE_OPERATION", + "9962": "DNS_ERROR_SCOPE_LOCKED", + "9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS", + "9971": "DNS_ERROR_POLICY_ALREADY_EXISTS", + "9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST", + "9973": "DNS_ERROR_POLICY_INVALID_CRITERIA", + "9974": "DNS_ERROR_POLICY_INVALID_SETTINGS", + "9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED", + "9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST", + "9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS", + "9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST", + "9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS", + "9980": "DNS_ERROR_POLICY_LOCKED", + "9981": "DNS_ERROR_POLICY_INVALID_WEIGHT", + "9982": "DNS_ERROR_POLICY_INVALID_NAME", + "9983": "DNS_ERROR_POLICY_MISSING_CRITERIA", + "9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME", + "9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID", + "9986": "DNS_ERROR_POLICY_SCOPE_MISSING", + "9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED", + "9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED", + "9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED", + "9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET", + "9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL", + "9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL", + "9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE", + "9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN", + "9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE", + "9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY", + "10054": "WSAECONNRESET", + "10055": "WSAENOBUFS", + "10060": "WSAETIMEDOUT", }; // Windows DNS record type constants. @@ -889,7 +953,7 @@ var sysmon = (function () { process: function(evt) { var event_id = evt.Get("winlog.event_id"); - var processor= this[event_id]; + var processor = this[event_id]; if (processor === undefined) { throw "unexpected sysmon event_id"; } diff --git a/x-pack/winlogbeat/module/sysmon/gen_dns_error_codes.go b/x-pack/winlogbeat/module/sysmon/gen_dns_error_codes.go new file mode 100644 index 00000000000..36e5bdd5d6a --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/gen_dns_error_codes.go @@ -0,0 +1,137 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +//+build ignore + +package main + +import ( + "bytes" + "crypto/sha256" + "encoding/csv" + "encoding/hex" + "fmt" + "io" + "log" + "net/http" + "os" + "os/exec" + "strconv" + "strings" +) + +// This file is used to generate the error code number to symbolic name mapping +// used in the Sysmon DNS event pipeline. It uses the Microsoft Error Lookup +// Tool to export the errors from winerror.h to CSV that extracts all of the +// error names that begin with "DNS_". It dumps the data to stdout and it can +// then be pasted in to the module. +// +// See https://docs.microsoft.com/en-us/windows/win32/debug/system-error-code-lookup-tool +// for details about the Microsoft Error Lookup Tool. + +const microsoftErrorToolURL = "https://download.microsoft.com/download/4/3/2/432140e8-fb6c-4145-8192-25242838c542/Err_6.4.5/Err_6.4.5.exe" +const microsoftErrorToolSha256 = "88739EC82BA16A0B4A3C83C1DD2FCA6336AD8E2A1E5F1238C085B1E86AB8834A" + +var includeCodes = []uint64{ + 5, + 8, + 13, + 14, + 123, + 1214, + 1223, + 1460, + 4312, + 9560, + 10054, + 10055, + 10060, +} + +func main() { + hash, err := downloadErrorLookupTool() + if err != nil { + log.Fatal(err) + } + + if hash != microsoftErrorToolSha256 { + log.Fatalf("bad sha256 for exe file: expected=%s, got=%s", microsoftErrorToolSha256, hash) + } + + r, err := exportErrors() + if err != nil { + log.Fatal(err) + } + + if err := parseCSV(r); err != nil { + log.Fatal(err) + } +} + +// download MS Error Lookup tool. +func downloadErrorLookupTool() (string, error) { + resp, err := http.Get("https://download.microsoft.com/download/4/3/2/432140e8-fb6c-4145-8192-25242838c542/Err_6.4.5/Err_6.4.5.exe") + if err != nil { + return "", err + } + defer resp.Body.Close() + + f, err := os.Create("Err.exe") + if err != nil { + return "", err + } + defer f.Close() + + sha256Hash := sha256.New() + body := io.TeeReader(resp.Body, sha256Hash) + _, err = io.Copy(f, body) + return strings.ToUpper(hex.EncodeToString(sha256Hash.Sum(nil))), err +} + +// exportErrors to CSV by executing Err.exe. +func exportErrors() (io.Reader, error) { + csvOutput := new(bytes.Buffer) + + cmd := exec.Command("Err.exe", "/winerror.h", "/:outputtoCSV") + cmd.Stdout = csvOutput + cmd.Stderr = os.Stderr + + return csvOutput, cmd.Run() +} + +// parseCSV parses the CSV and outputs the error codes that begin with "DNS_". +func parseCSV(r io.Reader) error { + codes := map[uint64]struct{}{} + for _, ec := range includeCodes { + codes[ec] = struct{}{} + } + + csvReader := csv.NewReader(r) + for { + fields, err := csvReader.Read() + if err != nil { + if err == io.EOF { + return nil + } + return err + } + + if len(fields) != 4 { + return fmt.Errorf("parse error") + } + + symbolicName := fields[1] + errorNumber, err := strconv.ParseUint(fields[0], 0, 64) + if err != nil { + log.Printf("Ignoring line because %v: %v", err, strings.Join(fields, ",")) + continue + } + + _, isIncludedCode := codes[errorNumber] + if isIncludedCode || strings.HasPrefix(symbolicName, "DNS_") { + fmt.Printf(`"%d": "%s",`+"\n", errorNumber, symbolicName) + } + } + return nil +}