Microsoft Windows - DNS
- tlapham
- rthornton
Windows Configuration
The Snare agent currently only supports the DNS debug txt log output, follow the below steps to configure and output the logs
Open the Domain Name System Microsoft Management Console on the server that you installed the Snare agent on (DNS MMC) snap-in by going to Start, Programs, Administrative Tools, and then DNS Manager.
From the DNS Server, right-click the server and select the Properties submenu.
The Properties pop-window will appear on your screen.
Select the Debug Logging tab and the Log packets debugging check box, respectively.
Ensure that the Incoming, UDP, Queries/Transfers, and Request check boxes are selected.
Specify the log path and name in the File path and name box. NOTE: To ensure that the server's drive does not exceed capacity, it is recommended that the file be placed on a drive with enough space with a max file size between 500MB and 1GB.
Click the OK button.
Agent Configuration
Snare can forward log data to Securonix using their pre-configured parsers. This guide outlines the steps to configure the Snare agent, along with links to the Securonix documentation on how to finalise configuration within Securonix itself.
Follow steps outlined here to install the Snare agent. Agent Installation - Snare Windows Agent v5 Documentation - Confluence
To collect the DNS logs from the newly created log file navigate to “Log Sources > Log Files”
Click “Add”, Select the log type and select “ Microsoft DNS server logs”
Select “Line seperating events” and in put “\r\n\r\n” this helps the agent identify where the individual logs start and end in the txt file.
Paste in the location of the log file e.g. C:\DNS.txt into the “Log file or Directory Field”
In the “Log File Format” Field input the name of the file e.g. *.log
Once happy click Change configuration and restart the service to save the change.
Once happy and changes applieed select “Destination configuration”.
Under the “Network Destinations” section, enter the domain/IP address and port for Snare Reflector, and ensure Format is “Snare” and “Delimiter Character” is “Tab”.
Snare Reflector Configuration
Login to Snare Central. Navigate to the Reflector UI (System->Administrative Tools-> Configure Collector/Reflector) and select “Destinations” on the left hand menu.
Select “Add Destination” at the bottom of the page and create a new destination with the following configuration and select “Update”, the “Proceed with update” and scroll to the top of the window and select “Restart Reflector” to apply the settings.
Configuration option | Value |
|---|---|
Hostname | IP/Hostname of the SNYPR instance in Securonix. |
Port | Port associated with the Snare Microsoft Windows parser |
Format | Set the format to “QRadar” |
Protocol | Set the protocol to UDP, TCP or TLS as per the configuration in SNYPR. |
Add Regular Expression | Create a policies with the following regular expression and mode set to “Include” (not including quotes): |
Once applied, return to the Reflector dashboard by selecting “Dashboard” and locate the chart for the destination that was just configured. Ensure the “Status” is “Sending” and that the chart has values.
Once applied, return to the Reflector dashboard by selecting “Dashboard” and locate the chart for the destination that was just configured. Ensure the “Status” is “Sending” and that the chart has values.
Finally, validate the delivery of logs to Securonix using the “Spotter” feature within the Securonix platform.