Detect DNS tunneling


#1

It`s the first time that i used Packetbeat, and I wanted to know How can we use packetbeat ,elasticsearch to capture DNS traffic and to detect DNS tunneling from my iodine ?

Thank you
Regards


(Andrew Kroh) #2

Here are some resources to help. They take the approach of looking for abnormally high number of unique sub-domains associated with a domain.

Blog: Detecting DNS Tunnels with Packetbeat and Watcher
Example Code: DNS Tunnel Detection

There has been one enhancement to Packetbeat 5.0 that makes things easier. We added a field called dns.question.etld_plus_one that does the work of finding the effective top level domain (ETLD) so you don't have to do it in Logstash or write a scripted field in Elasticsearch. So basically you can just send the Packetbeat data directly to Elasticsearch and don't need scripted fields.

To count the number of unique domains associated with a given ETLD you do a terms aggregation on the dns.question.etld_plus_one field then find the cardinality of the dns.question.name field within each of bucket.


#3

Hey!

sorry for the inconvenience, I have installed packetbeat and Elasticsearch on the iodine client and I followed the steps mentioned in the Blog but I couldn`t get any information about the DNS Traffic and about the detection of DNS Tunnel,

Could you please explain why I can`t get any output ?

Thanks


(Andrew Kroh) #4

Do you have a working installation of Packetbeat? What versions are you using? Are dns events being indexed into Elasticsearch?

What output do you get from this query? curl http://<elasticsearch>:9200/packetbeat-*/dns/_count?pretty


#5

now I get this:
{
"error" : {
"root_cause" : [ {
"type" : "invalid_index_name_exception",
"reason" : "Invalid index name [packetbeat-], must not contain the following characters [\, /, , ?, ", <, >, |, , ,]",
"index" : "packetbeat-
"
} ],
"type" : "invalid_index_name_exception",
"reason" : "Invalid index name [packetbeat-
], must not contain the following characters [\, /, , ?, ", <, >, |, , ,]",
"index" : "packetbeat-
"
},
"status" : 400

}


(Andrew Kroh) #6

Replace <elasticsearch> with the hostname or IP address of your Elasticsearch server.


(Andrew Kroh) #7

Looks like you have DNS data indexed in Packetbeat. Here's a sample query to look for some interesting domains.

curl http://<elasticsearch>:9200/packetbeat-*/dns/_search?pretty -d'
{
  "query": {
    "bool": {
      "filter": {
        "range": {
          "@timestamp": {
            "from": "now-4h"
          }
        }
      },
      "must_not": {
        "terms": {
          "dns.question.etld_plus_one": [
            "akadns.net.",
            "amazonaws.com.",
            "apple.com.",
            "apple-dns.net.",
            "cloudfront.net.",
            "icloud.com.",
            "in-addr.arpa.",
            "google.com.",
            "yahoo.com."
          ]
        }
      }
    }
  },
  "size": 0,
  "aggs": {
    "by_domain": {
      "terms": {
        "size": 0,
        "field": "dns.question.etld_plus_one"
      },
      "aggs": {
        "unique_hostnames": {
          "cardinality": {
            "field": "dns.question.name"
          }
        },
        "total_bytes_in": {
          "sum": {
            "field": "bytes_in"
          }
        },
        "total_bytes_out": {
          "sum": {
            "field": "bytes_out"
          }
        },
        "high_num_hostnames": {
          "bucket_selector": {
            "buckets_path": {
              "unique_hostnames": "unique_hostnames"
            },
            "script": "unique_hostnames > 10"
          }
        }
      }
    }
  }
}'

#8

this is what i get chen I tape the command {
"count" : 46182,
"_shards" : {
"total" : 15,
"successful" : 15,
"failed" : 0
}
}

To detect tunnel should I install Packetbeat 5.0 because I have the version
1.2 ?
where can I capture the traffic when enter the following command
/var/log/mybeat thiese are the first lines that i get.

"client_port": 57780,
"client_proc": "",
"client_server": "",
"count": 1,
"direction": "out",
"dns": {
"additionals_count": 0,
"answers": [
{
"class": "IN",
"data": "googlehosted.l.googleusercontent.com",
"name": "lh3.googleusercontent.com",
"ttl": 79420,
"type": "CNAME"
},
{
"class": "IN",
"data": "172.217.16.161",
"name": "googlehosted.l.googleusercontent.com",

Also I didn`t understand how can I use these fileds
(dns.question.etld_plus_one)

(dns.question.name)

Thank you and Sorry about the inconvenience
Regards


(Andrew Kroh) #9

Yes, the example query/aggregation I posted above requires Packetbeat 5.0 because it uses the dns.question.etld_plus_one field. Using Packetbeat 5.0 will simplify the overall setup because it doesn't require Logstash or any of the extra scripts used in blog post and example. You just capture the traffic to Elasticsearch and execute the query I provided. The query provides you with a list of domains that have a high number of unique hostnames. It also provides the total number of bytes used in requests and responses to/from these domains. You can adjust the unique_domains threshold and you can modify the whitelist.

Here's an example response from the query:

{
  "took": 1271,
  "timed_out": false,
  "_shards": {
    "total": 63,
    "successful": 63,
    "failed": 0
  },
  "hits": {
    "total": 34829,
    "max_score": 0,
    "hits": []
  },
  "aggregations": {
    "by_domain": {
      "doc_count_error_upper_bound": 37,
      "sum_other_doc_count": 3231,
      "buckets": [
        {
          "key": "sophosxl.net.",
          "doc_count": 2971,
          "unique_hostnames": {
            "value": 1005
          },
          "total_bytes_in": {
            "value": 154718
          },
          "total_bytes_out": {
            "value": 656802
          }
        },
        {
          "key": "syncthing.net.",
          "doc_count": 741,
          "unique_hostnames": {
            "value": 10
          },
          "total_bytes_in": {
            "value": 33973
          },
          "total_bytes_out": {
            "value": 137054
          }
        }
      ]
    }
  }
}

#10

Hey

I tried to apply the [Example Code: DNS Tunnel Detection](http://Example Code: DNS Tunnel Detection) but it doesnt work so please could you explain what kind of query did you use because it doesnt function for me and also you said that it doesn t require any extra scripts
could please provide me the query because I have to test it

Thank you !


(Andrew Kroh) #11

Are you using Packetbeat 5.0?

I provided the exact query in Detect DNS tunneling and also showed an example response in Detect DNS tunneling.


#12

Yes I am using Packetbeat 5.0 and elasticsearch 5.0 i get the DNS traffic
and I also used the query that you provided but i can't detect dns tunnel


(system) #13

This topic was automatically closed after 21 days. New replies are no longer allowed.


(Andrew Kroh) #14

(Andrew Kroh) #15

Then what is the query that I provided returning? Maybe you can need to adjust some of the parameters in the query.


(system) #16