2
responses

I have setup NXlog for purpose of consuming DNS analytical events and forwarding to a NDR solution. I'm using im_etw as the input and parse to syslog with xm_syslog and om_file. The output is to a file stored locally on the DNS server.

When I take a closer look at event IDs 256 and 257, DNS analytical log provides some interesting field such as source, query and packet data, which seems to be a hex value of query or response.

Has anyone decoded the PacketData field into a readable format?

Config below:

<Extension _syslog>
Module xm_syslog
</Extension>

<Input etw>
Module im_etw
Provider Microsoft-Windows-DNSServer
</Input>

<Output file>
Module om_file
File 'C:\Users\Administrator\Documents\output_syslog.log'
Exec parse_syslog();
</Output>

<Route etw_file>
Path etw => file
</Route>

AskedFebruary 8, 2021 - 2:02am

Answer (1)

The im_pcap module has a DNS decoder that should get you this data, though I understand that requires a different setup than capturing the ETW trace directly.

To decode PacketData produced by im_etw you could use xm_perl.

Comments (1)

  • PD_085948's picture

    Hi b0ti - thanks for your comment.

    A question regarding im_pcap - is dev where I set the interface I am monitoring? My interface on the server is Ethernet adapter Ethernet0:

    <Input pcap>
    Module im_pcap
    Dev enp0s3 <== should this be Ethernet0?

    Also, I keep getting errors.

    2021-02-10 16:00:27 ERROR [CORE|main] Failed to load module from C:\Program Files\nxlog\modules\input\im_pcap.dll, The specified module could not be found. ; The specified module could not be found.
    2021-02-10 16:00:27 WARNING [CORE|main] no functional input modules!
    2021-02-10 16:00:27 ERROR [CORE|main] module 'pcap' is not declared at C:\Program Files\nxlog\conf\nxlog.conf:82
    2021-02-10 16:00:27 ERROR [CORE|main] route pcap_file is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:82

    I checked the C:\Program Files\nxlog\modules\input\ directory and the file im_pcap.dll is in the directory.

    Config I have used:

    define INSTALLDIR C:\Program Files\nxlog

    #ModuleDir %INSTALLDIR%\modules
    #CacheDir %INSTALLDIR%\data
    #SpoolDir %INSTALLDIR%\data

    define CERTDIR %INSTALLDIR%\cert
    define CONFDIR %INSTALLDIR%\conf\nxlog.d

    # Note that these two lines define constants only; the log file location
    # is ultimately set by the `LogFile` directive (see below). The
    # `MYLOGFILE` define is also used to rotate the log file automatically
    # (see the `_fileop` block).
    define LOGDIR %INSTALLDIR%\data
    define MYLOGFILE %LOGDIR%\nxlog.log

    # If you are not using NXLog Manager, disable the `include` line
    # and enable LogLevel and LogFile.
    include %CONFDIR%\*.conf

    #LogLevel INFO
    #LogFile %MYLOGFILE%

    <Extension _json>
    Module xm_json
    </Extension>

    <Input pcap>
    Module im_pcap
    Dev enp0s3
    <Protocol>
    Type dns
    Field dns.opcode
    Field dns.id
    Field dns.flags.authoritative
    Field dns.flags.recursion_available
    Field dns.flags.recursion_desired
    Field dns.flags.authentic_data
    Field dns.flags.checking_disabled
    Field dns.flags.truncated_response
    Field dns.response
    Field dns.response.code
    Field dns.query
    Field dns.additional
    Field dns.answer
    Field dns.authority
    </Protocol>
    <Protocol>
    Type ipv4
    Field ipv4.src
    Field ipv4.dst
    Field ipv4.fragment
    </Protocol>
    <Protocol>
    Type ipv6
    Field ipv6.src
    Field ipv6.dst
    Field ipv6.options
    </Protocol>
    <Protocol>
    Type tcp
    Field tcp.src_port
    Field tcp.dst_port
    Field tcp.flag
    </Protocol>
    <Protocol>
    Type udp
    Field udp.src_port
    Field udp.dst_port
    </Protocol>
    </Input>

    <Output file>
    Module om_file
    File "C:\Users\Administrator\Documents\passive_dns.json"
    Exec to_json();
    </Output>

    <Route pcap_file>
    Path pcap => file
    </Route>