Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #16040 to 7.x: Update error codes for Sysmon DNS #16942

Merged
merged 1 commit into from
Mar 11, 2020
Merged

Cherry-pick #16040 to 7.x: Update error codes for Sysmon DNS #16942

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

*Winlogbeat*

- Add more DNS error codes to the Sysmon module. {issue}15685[15685]

==== Deprecated

Expand Down
178 changes: 121 additions & 57 deletions x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,74 +17,45 @@ var sysmon = (function () {
var processor = require("processor");
var winlogbeat = require("winlogbeat");

// Windows error codes for DNS.
// https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--9000-11999-
// Windows error codes for DNS. This list was generated using
// 'go run gen_dns_error_codes.go'.
var dnsQueryStatusCodes = {
"0": "SUCCESS",
"2329": "DNS_ERROR_RCODE_FORMAT_ERROR",
"2330": "DNS_ERROR_RCODE_NXRRSET",
"2331": "DNS_ERROR_RCODE_NOTAUTH",
"2332": "DNS_ERROR_RCODE_NOTZONE",
"2338": "DNS_ERROR_RCODE_BADSIG",
"2339": "DNS_ERROR_RCODE_BADKEY",
"2390": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS",
"2391": "DNS_ERROR_UNSUPPORTED_ALGORITHM",
"2392": "DNS_ERROR_INVALID_KEY_SIZE",
"2393": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE",
"2394": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION",
"2395": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR",
"2396": "DNS_ERROR_UNEXPECTED_CNG_ERROR",
"2397": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION",
"2398": "DNS_ERROR_KSP_NOT_ACCESSIBLE",
"2399": "DNS_ERROR_TOO_MANY_SKDS",
"2520": "DNS_ERROR_RCODE",
"2521": "DNS_ERROR_UNSECURE_PACKET",
"2522": "DNS_REQUEST_PENDING",
"2550": "DNS_ERROR_INVALID_IP_ADDRESS",
"2551": "DNS_ERROR_INVALID_PROPERTY",
"2552": "DNS_ERROR_TRY_AGAIN_LATER",
"2553": "DNS_ERROR_NOT_UNIQUE",
"2554": "DNS_ERROR_NON_RFC_NAME",
"2555": "DNS_STATUS_FQDN",
"2556": "DNS_STATUS_DOTTED_NAME",
"2557": "DNS_STATUS_SINGLE_PART_NAME",
"2558": "DNS_ERROR_INVALID_NAME_CHAR",
"2559": "DNS_ERROR_NUMERIC_NAME",
"2560": "DNS_ERROR_BACKGROUND_LOADING",
"2561": "DNS_ERROR_NOT_ALLOWED_ON_RODC",
"2562": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME",
"2563": "DNS_ERROR_DELEGATION_REQUIRED",
"2564": "DNS_ERROR_INVALID_POLICY_TABLE",
"2581": "DNS_ERROR_ZONE_DOES_NOT_EXIST",
"2582": "DNS_ERROR_NO_ZONE_INFO",
"2583": "DNS_ERROR_INVALID_ZONE_OPERATION",
"2584": "DNS_ERROR_ZONE_CONFIGURATION_ERROR",
"2585": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD",
"2586": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS",
"2587": "DNS_ERROR_ZONE_LOCKED",
"2588": "DNS_ERROR_ZONE_CREATION_FAILED",
"2589": "DNS_ERROR_ZONE_ALREADY_EXISTS",
"2590": "DNS_ERROR_NEED_WINS_SERVERS",
"2591": "DNS_ERROR_NBSTAT_INIT_FAILED",
"2592": "DNS_ERROR_SOA_DELETE_INVALID",
"2593": "DNS_ERROR_FORWARDER_ALREADY_EXISTS",
"2594": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP",
"2595": "DNS_ERROR_ZONE_IS_SHUTDOWN",
"2596": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING",
"2617": "DNS_INFO_AXFR_COMPLETE",
"2618": "DNS_ERROR_AXFR",
"2619": "DNS_INFO_ADDED_LOCAL_WINS",
"2649": "DNS_STATUS_CONTINUE_NEEDED",
"5": "ERROR_ACCESS_DENIED",
"8": "ERROR_NOT_ENOUGH_MEMORY",
"13": "ERROR_INVALID_DATA",
"14": "ERROR_OUTOFMEMORY",
"123": "ERROR_INVALID_NAME",
"1214": "ERROR_INVALID_NETNAME",
"1223": "ERROR_CANCELLED",
"1460": "ERROR_TIMEOUT",
"4312": "ERROR_OBJECT_NOT_FOUND",
"9001": "DNS_ERROR_RCODE_FORMAT_ERROR",
"9002": "DNS_ERROR_RCODE_SERVER_FAILURE",
"9003": "DNS_ERROR_RCODE_NAME_ERROR",
"9004": "DNS_ERROR_RCODE_NOT_IMPLEMENTED",
"9005": "DNS_ERROR_RCODE_REFUSED",
"9006": "DNS_ERROR_RCODE_YXDOMAIN",
"9007": "DNS_ERROR_RCODE_YXRRSET",
"9008": "DNS_ERROR_RCODE_NXRRSET",
"9009": "DNS_ERROR_RCODE_NOTAUTH",
"9010": "DNS_ERROR_RCODE_NOTZONE",
"9016": "DNS_ERROR_RCODE_BADSIG",
"9017": "DNS_ERROR_RCODE_BADKEY",
"9018": "DNS_ERROR_RCODE_BADTIME",
"9101": "DNS_ERROR_KEYMASTER_REQUIRED",
"9102": "DNS_ERROR_NOT_ALLOWED_ON_SIGNED_ZONE",
"9103": "DNS_ERROR_NSEC3_INCOMPATIBLE_WITH_RSA_SHA1",
"9104": "DNS_ERROR_NOT_ENOUGH_SIGNING_KEY_DESCRIPTORS",
"9105": "DNS_ERROR_UNSUPPORTED_ALGORITHM",
"9106": "DNS_ERROR_INVALID_KEY_SIZE",
"9107": "DNS_ERROR_SIGNING_KEY_NOT_ACCESSIBLE",
"9108": "DNS_ERROR_KSP_DOES_NOT_SUPPORT_PROTECTION",
"9109": "DNS_ERROR_UNEXPECTED_DATA_PROTECTION_ERROR",
"9110": "DNS_ERROR_UNEXPECTED_CNG_ERROR",
"9111": "DNS_ERROR_UNKNOWN_SIGNING_PARAMETER_VERSION",
"9112": "DNS_ERROR_KSP_NOT_ACCESSIBLE",
"9113": "DNS_ERROR_TOO_MANY_SKDS",
"9114": "DNS_ERROR_INVALID_ROLLOVER_PERIOD",
"9115": "DNS_ERROR_INVALID_INITIAL_ROLLOVER_OFFSET",
"9116": "DNS_ERROR_ROLLOVER_IN_PROGRESS",
Expand All @@ -105,19 +76,54 @@ var sysmon = (function () {
"9501": "DNS_INFO_NO_RECORDS",
"9502": "DNS_ERROR_BAD_PACKET",
"9503": "DNS_ERROR_NO_PACKET",
"9504": "DNS_ERROR_RCODE",
"9505": "DNS_ERROR_UNSECURE_PACKET",
"9506": "DNS_REQUEST_PENDING",
"9551": "DNS_ERROR_INVALID_TYPE",
"9552": "DNS_ERROR_INVALID_IP_ADDRESS",
"9553": "DNS_ERROR_INVALID_PROPERTY",
"9554": "DNS_ERROR_TRY_AGAIN_LATER",
"9555": "DNS_ERROR_NOT_UNIQUE",
"9556": "DNS_ERROR_NON_RFC_NAME",
"9557": "DNS_STATUS_FQDN",
"9558": "DNS_STATUS_DOTTED_NAME",
"9559": "DNS_STATUS_SINGLE_PART_NAME",
"9560": "DNS_ERROR_INVALID_NAME_CHAR",
"9561": "DNS_ERROR_NUMERIC_NAME",
"9562": "DNS_ERROR_NOT_ALLOWED_ON_ROOT_SERVER",
"9563": "DNS_ERROR_NOT_ALLOWED_UNDER_DELEGATION",
"9564": "DNS_ERROR_CANNOT_FIND_ROOT_HINTS",
"9565": "DNS_ERROR_INCONSISTENT_ROOT_HINTS",
"9566": "DNS_ERROR_DWORD_VALUE_TOO_SMALL",
"9567": "DNS_ERROR_DWORD_VALUE_TOO_LARGE",
"9568": "DNS_ERROR_BACKGROUND_LOADING",
"9569": "DNS_ERROR_NOT_ALLOWED_ON_RODC",
"9570": "DNS_ERROR_NOT_ALLOWED_UNDER_DNAME",
"9571": "DNS_ERROR_DELEGATION_REQUIRED",
"9572": "DNS_ERROR_INVALID_POLICY_TABLE",
"9573": "DNS_ERROR_ADDRESS_REQUIRED",
"9601": "DNS_ERROR_ZONE_DOES_NOT_EXIST",
"9602": "DNS_ERROR_NO_ZONE_INFO",
"9603": "DNS_ERROR_INVALID_ZONE_OPERATION",
"9604": "DNS_ERROR_ZONE_CONFIGURATION_ERROR",
"9605": "DNS_ERROR_ZONE_HAS_NO_SOA_RECORD",
"9606": "DNS_ERROR_ZONE_HAS_NO_NS_RECORDS",
"9607": "DNS_ERROR_ZONE_LOCKED",
"9608": "DNS_ERROR_ZONE_CREATION_FAILED",
"9609": "DNS_ERROR_ZONE_ALREADY_EXISTS",
"9610": "DNS_ERROR_AUTOZONE_ALREADY_EXISTS",
"9611": "DNS_ERROR_INVALID_ZONE_TYPE",
"9612": "DNS_ERROR_SECONDARY_REQUIRES_MASTER_IP",
"9613": "DNS_ERROR_ZONE_NOT_SECONDARY",
"9614": "DNS_ERROR_NEED_SECONDARY_ADDRESSES",
"9615": "DNS_ERROR_WINS_INIT_FAILED",
"9616": "DNS_ERROR_NEED_WINS_SERVERS",
"9617": "DNS_ERROR_NBSTAT_INIT_FAILED",
"9618": "DNS_ERROR_SOA_DELETE_INVALID",
"9619": "DNS_ERROR_FORWARDER_ALREADY_EXISTS",
"9620": "DNS_ERROR_ZONE_REQUIRES_MASTER_IP",
"9621": "DNS_ERROR_ZONE_IS_SHUTDOWN",
"9622": "DNS_ERROR_ZONE_LOCKED_FOR_SIGNING",
"9651": "DNS_ERROR_PRIMARY_REQUIRES_DATAFILE",
"9652": "DNS_ERROR_INVALID_DATAFILE_NAME",
"9653": "DNS_ERROR_DATAFILE_OPEN_FAILURE",
Expand Down Expand Up @@ -145,6 +151,10 @@ var sysmon = (function () {
"9720": "DNS_ERROR_NODE_IS_DNAME",
"9721": "DNS_ERROR_DNAME_COLLISION",
"9722": "DNS_ERROR_ALIAS_LOOP",
"9751": "DNS_INFO_AXFR_COMPLETE",
"9752": "DNS_ERROR_AXFR",
"9753": "DNS_INFO_ADDED_LOCAL_WINS",
"9801": "DNS_STATUS_CONTINUE_NEEDED",
"9851": "DNS_ERROR_NO_TCPIP",
"9852": "DNS_ERROR_NO_DNS_SERVERS",
"9901": "DNS_ERROR_DP_DOES_NOT_EXIST",
Expand All @@ -153,6 +163,60 @@ var sysmon = (function () {
"9904": "DNS_ERROR_DP_ALREADY_ENLISTED",
"9905": "DNS_ERROR_DP_NOT_AVAILABLE",
"9906": "DNS_ERROR_DP_FSMO_ERROR",
"9911": "DNS_ERROR_RRL_NOT_ENABLED",
"9912": "DNS_ERROR_RRL_INVALID_WINDOW_SIZE",
"9913": "DNS_ERROR_RRL_INVALID_IPV4_PREFIX",
"9914": "DNS_ERROR_RRL_INVALID_IPV6_PREFIX",
"9915": "DNS_ERROR_RRL_INVALID_TC_RATE",
"9916": "DNS_ERROR_RRL_INVALID_LEAK_RATE",
"9917": "DNS_ERROR_RRL_LEAK_RATE_LESSTHAN_TC_RATE",
"9921": "DNS_ERROR_VIRTUALIZATION_INSTANCE_ALREADY_EXISTS",
"9922": "DNS_ERROR_VIRTUALIZATION_INSTANCE_DOES_NOT_EXIST",
"9923": "DNS_ERROR_VIRTUALIZATION_TREE_LOCKED",
"9924": "DNS_ERROR_INVAILD_VIRTUALIZATION_INSTANCE_NAME",
"9925": "DNS_ERROR_DEFAULT_VIRTUALIZATION_INSTANCE",
"9951": "DNS_ERROR_ZONESCOPE_ALREADY_EXISTS",
"9952": "DNS_ERROR_ZONESCOPE_DOES_NOT_EXIST",
"9953": "DNS_ERROR_DEFAULT_ZONESCOPE",
"9954": "DNS_ERROR_INVALID_ZONESCOPE_NAME",
"9955": "DNS_ERROR_NOT_ALLOWED_WITH_ZONESCOPES",
"9956": "DNS_ERROR_LOAD_ZONESCOPE_FAILED",
"9957": "DNS_ERROR_ZONESCOPE_FILE_WRITEBACK_FAILED",
"9958": "DNS_ERROR_INVALID_SCOPE_NAME",
"9959": "DNS_ERROR_SCOPE_DOES_NOT_EXIST",
"9960": "DNS_ERROR_DEFAULT_SCOPE",
"9961": "DNS_ERROR_INVALID_SCOPE_OPERATION",
"9962": "DNS_ERROR_SCOPE_LOCKED",
"9963": "DNS_ERROR_SCOPE_ALREADY_EXISTS",
"9971": "DNS_ERROR_POLICY_ALREADY_EXISTS",
"9972": "DNS_ERROR_POLICY_DOES_NOT_EXIST",
"9973": "DNS_ERROR_POLICY_INVALID_CRITERIA",
"9974": "DNS_ERROR_POLICY_INVALID_SETTINGS",
"9975": "DNS_ERROR_CLIENT_SUBNET_IS_ACCESSED",
"9976": "DNS_ERROR_CLIENT_SUBNET_DOES_NOT_EXIST",
"9977": "DNS_ERROR_CLIENT_SUBNET_ALREADY_EXISTS",
"9978": "DNS_ERROR_SUBNET_DOES_NOT_EXIST",
"9979": "DNS_ERROR_SUBNET_ALREADY_EXISTS",
"9980": "DNS_ERROR_POLICY_LOCKED",
"9981": "DNS_ERROR_POLICY_INVALID_WEIGHT",
"9982": "DNS_ERROR_POLICY_INVALID_NAME",
"9983": "DNS_ERROR_POLICY_MISSING_CRITERIA",
"9984": "DNS_ERROR_INVALID_CLIENT_SUBNET_NAME",
"9985": "DNS_ERROR_POLICY_PROCESSING_ORDER_INVALID",
"9986": "DNS_ERROR_POLICY_SCOPE_MISSING",
"9987": "DNS_ERROR_POLICY_SCOPE_NOT_ALLOWED",
"9988": "DNS_ERROR_SERVERSCOPE_IS_REFERENCED",
"9989": "DNS_ERROR_ZONESCOPE_IS_REFERENCED",
"9990": "DNS_ERROR_POLICY_INVALID_CRITERIA_CLIENT_SUBNET",
"9991": "DNS_ERROR_POLICY_INVALID_CRITERIA_TRANSPORT_PROTOCOL",
"9992": "DNS_ERROR_POLICY_INVALID_CRITERIA_NETWORK_PROTOCOL",
"9993": "DNS_ERROR_POLICY_INVALID_CRITERIA_INTERFACE",
"9994": "DNS_ERROR_POLICY_INVALID_CRITERIA_FQDN",
"9995": "DNS_ERROR_POLICY_INVALID_CRITERIA_QUERY_TYPE",
"9996": "DNS_ERROR_POLICY_INVALID_CRITERIA_TIME_OF_DAY",
"10054": "WSAECONNRESET",
"10055": "WSAENOBUFS",
"10060": "WSAETIMEDOUT",
};

// Windows DNS record type constants.
Expand Down Expand Up @@ -889,7 +953,7 @@ var sysmon = (function () {

process: function(evt) {
var event_id = evt.Get("winlog.event_id");
var processor= this[event_id];
var processor = this[event_id];
if (processor === undefined) {
throw "unexpected sysmon event_id";
}
Expand Down
137 changes: 137 additions & 0 deletions x-pack/winlogbeat/module/sysmon/gen_dns_error_codes.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
// or more contributor license agreements. Licensed under the Elastic License;
// you may not use this file except in compliance with the Elastic License.

//+build ignore

package main

import (
"bytes"
"crypto/sha256"
"encoding/csv"
"encoding/hex"
"fmt"
"io"
"log"
"net/http"
"os"
"os/exec"
"strconv"
"strings"
)

// This file is used to generate the error code number to symbolic name mapping
// used in the Sysmon DNS event pipeline. It uses the Microsoft Error Lookup
// Tool to export the errors from winerror.h to CSV that extracts all of the
// error names that begin with "DNS_". It dumps the data to stdout and it can
// then be pasted in to the module.
//
// See https://docs.microsoft.com/en-us/windows/win32/debug/system-error-code-lookup-tool
// for details about the Microsoft Error Lookup Tool.

const microsoftErrorToolURL = "https://download.microsoft.com/download/4/3/2/432140e8-fb6c-4145-8192-25242838c542/Err_6.4.5/Err_6.4.5.exe"
const microsoftErrorToolSha256 = "88739EC82BA16A0B4A3C83C1DD2FCA6336AD8E2A1E5F1238C085B1E86AB8834A"

var includeCodes = []uint64{
5,
8,
13,
14,
123,
1214,
1223,
1460,
4312,
9560,
10054,
10055,
10060,
}

func main() {
hash, err := downloadErrorLookupTool()
if err != nil {
log.Fatal(err)
}

if hash != microsoftErrorToolSha256 {
log.Fatalf("bad sha256 for exe file: expected=%s, got=%s", microsoftErrorToolSha256, hash)
}

r, err := exportErrors()
if err != nil {
log.Fatal(err)
}

if err := parseCSV(r); err != nil {
log.Fatal(err)
}
}

// download MS Error Lookup tool.
func downloadErrorLookupTool() (string, error) {
resp, err := http.Get("https://download.microsoft.com/download/4/3/2/432140e8-fb6c-4145-8192-25242838c542/Err_6.4.5/Err_6.4.5.exe")
if err != nil {
return "", err
}
defer resp.Body.Close()

f, err := os.Create("Err.exe")
if err != nil {
return "", err
}
defer f.Close()

sha256Hash := sha256.New()
body := io.TeeReader(resp.Body, sha256Hash)
_, err = io.Copy(f, body)
return strings.ToUpper(hex.EncodeToString(sha256Hash.Sum(nil))), err
}

// exportErrors to CSV by executing Err.exe.
func exportErrors() (io.Reader, error) {
csvOutput := new(bytes.Buffer)

cmd := exec.Command("Err.exe", "/winerror.h", "/:outputtoCSV")
cmd.Stdout = csvOutput
cmd.Stderr = os.Stderr

return csvOutput, cmd.Run()
}

// parseCSV parses the CSV and outputs the error codes that begin with "DNS_".
func parseCSV(r io.Reader) error {
codes := map[uint64]struct{}{}
for _, ec := range includeCodes {
codes[ec] = struct{}{}
}

csvReader := csv.NewReader(r)
for {
fields, err := csvReader.Read()
if err != nil {
if err == io.EOF {
return nil
}
return err
}

if len(fields) != 4 {
return fmt.Errorf("parse error")
}

symbolicName := fields[1]
errorNumber, err := strconv.ParseUint(fields[0], 0, 64)
if err != nil {
log.Printf("Ignoring line because %v: %v", err, strings.Join(fields, ","))
continue
}

_, isIncludedCode := codes[errorNumber]
if isIncludedCode || strings.HasPrefix(symbolicName, "DNS_") {
fmt.Printf(`"%d": "%s",`+"\n", errorNumber, symbolicName)
}
}
return nil
}