Hi @andrewkroh - Hope you doing good!
I would require your help to build Detecting DNS Tunnels with PacketBeat+Watcher using ELK stack 6.0; I believe the current example which is not supported to use in the 6.x stack.
What changes that I need to modify to work with 6.x?
Many Thanks,
Neal
Hi @Madhu_Neal1
I have managed to make the example work with the 6.0.1 stack with a few changes:
packetbeat, don't pass the -waitstop 10 and -t flags.packetbeat-dns.template.json, rename the dns document type to doc.dns_transform.painless script into unique_hostnames_watch.json.Here's the diff:
diff --git a/Security Analytics/dns_tunnel_detection/packetbeat-dns.template.json b/Security Analytics/dns_tunnel_detection/packetbeat-dns.template.json
index 9083706..c75c022 100644
--- a/Security Analytics/dns_tunnel_detection/packetbeat-dns.template.json
+++ b/Security Analytics/dns_tunnel_detection/packetbeat-dns.template.json
@@ -30,9 +30,9 @@
}
},
"mappings": {
- "dns": {
+ "doc": {
"properties": {
- "dns": {
+ "doc": {
"properties": {
"question": {
"properties": {
diff --git a/Security Analytics/dns_tunnel_detection/unique_hostnames_watch.json b/Security Analytics/dns_tunnel_detection/unique_hostnames_watch.json
index c1d3048..c5da94a 100644
--- a/Security Analytics/dns_tunnel_detection/unique_hostnames_watch.json
+++ b/Security Analytics/dns_tunnel_detection/unique_hostnames_watch.json
@@ -81,7 +81,15 @@
},
"transform": {
"script": {
- "file": "dns_transform"
+ "source": "def alerts = ctx.payload.aggregations.by_domain.buckets.stream().collect(Collectors.toMap(p->p.key,item->[
+ \"total_requests\" : item.doc_count,
+ \"unique_hostnames\" : item.unique_hostnames.value,
+ \"total_bytes_in\" : item.total_bytes_in.value,
+ \"total_bytes_out\" : item.total_bytes_out.value,
+ \"total_bytes\" : item.total_bytes_in.value + item.total_bytes_out.value
+]));
+return [\"alerts\":alerts];"
+
}
},
"actions": {
I've sent a PR to update the docs, although maybe it's best to keep separate versions:
Adrian, Thanks for modifying the example, now I can deploy this example on 6.x stack successfully.
But when I am trying to deploy unique_hotnames_watch.json, I see below error: - Note: I am running elk stack on elastic cloud.
"actions" : [
{
"id" : "log_domains",
"type" : "logging",
"status" : "success",
"logging" : {
"logged_text" : "The following domain(s) have a high number of unique hostnames: {pirate.sea.={unique_hostnames=220, total_bytes_in=16716.0, total_bytes=51877.0, total_requests=220, total_bytes_out=35161.0}}"
}
},
{
"id" : "email_alert",
"type" : "email",
"status" : "failure",
"error" : {
"root_cause" : [
{
"type" : "messaging_exception",
"reason" : "failed to send email with subject [ DNS Tunnel Alert] via account [work]"
}
],
"type" : "messaging_exception",
"reason" : "failed to send email with subject [ DNS Tunnel Alert] via account [work]",
"caused_by" : {
"type" : "send_failed_exception",
"reason" : "Invalid Addresses",
"caused_by" : {
"type" : "s_m_t_p_address_failed_exception",
"reason" : "554 5.7.1 <'Madhu>: Recipient address rejected: Access denied\n",
"caused_by" : {
"type" : "s_m_t_p_address_failed_exception",
"reason" : "554 5.7.1 gaddem.madhu@gmail.com: Recipient address rejected: Access denied\n"
}
}
}
}
}
]
},
"messages" : [ ]
}
}
Did you whitelist that address with Elastic Cloud? https://www.elastic.co/guide/en/cloud/current/ec-watcher.html#ec-watcher-whitelist
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.