Sysmon DNS Query missing Status codes

Nicholas_Penning · December 31, 2019, 12:06am

Hello,

We are ingesting some SysMon (Version 10.41) DNS logs via WinLogbeat 7.4.0 and have found that some status codes are not either getting translated with the sysmon.js or are not in the list. I will focus on the event log that is in the list. The status is 9560 which should be displaying as DNS_ERROR_INVALID_NAME_CHAR but instead the logs in Kibana are showing 9560.

From Microsoft (https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--9000-11999-)

DNS_ERROR_INVALID_NAME_CHAR

9560 (0x2558)

DNS name contains an invalid character.

You can test this by trying to ping www.google,com

You see that the status code is in fact 9560 in the Windows event log but for some reason the sysmon.js doesn't clean up like most of the other DNS queries. Any ideas?

Thanks!

andrewkroh · January 20, 2020, 2:49pm

This is a bug. I must have made a mistake in parsing the header file. Can you open a bug on github for this one.

Nicholas_Penning · January 20, 2020, 6:22pm

Hi Andrew!

Yes I can do that. Would you like me to provide all event code's that don't get translated to the names or just this one?

Here is the quick list (sysmon.dns.status):
1460
9560
123
1223
4312
10054

Nicholas_Penning · January 20, 2020, 6:44pm

I went ahead and created an issue on GitHub, please let me know what other information you may need.

Thanks again for looking into this!

system · February 17, 2020, 8:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.