Posts Tagged ‘Security’

Parsing Microsoft DNS Logs

January 20, 2017

f94ac315fd8170a9231553e9c7adb49aI was thinking of starting this with a DNS joke, but then I realized it could take 24 hours before anyone would get it. Now let’s all pretend that I didn’t just tell that joke. Speaking of DNS, has anyone looked at a Microsoft DNS log? Quite an interesting, captivating read, if you were a sloth. To make matters worse, when it starts to get larger than 100 MB opening it isn’t very fun. Let me rephrase my original statement: Sloths also think logs are not fun.  But there is hope.

 

Brah, do you even parse?

Manually reading log files is headed out. If you’re looking for something specific, you need to parse the log file and compare it to something you’re looking for. For this I chose to use Python. I know there are a lot of other ways of doing it, but I’ve been interested in trying some things out with Python.

First, if you don’t know how to setup DNS logging, you’ll need to do that.

  1. Open your DNS snap-in.
  2. Right click your DNS Server and go to Properties.
  3. Go to the Debug Logging
  4. Check the box for Log packets for debugging.
  5. Choose the file path and name of the log.
  6. Choose a size that you’re comfortable with and hit OK.

Moving to the meat of the program we will want to import 2 libraries.

import os.path
import re

After that let’s set the location for the DNS files. You’ll want to customize this.

scriptpath = os.path.dirname(r"\\myserver\location\dnslogs\ ")
dnsFile = os.path.join(scriptpath, 'dns.log')

Then we’ll want to declare a list to be used.

dnsList = []

Let’s parse out the log file now. I even included comments to make this for an easy read.

with open(dnsFile,'r') as myDnsFile:
    for dnsLine in myDnsFile:
        # Only use lines that have Snd to reduce the size of the search.
        if re.findall(r'Snd',dnsLine) == ['Snd']:
            # Use regex to parse everything between the parentheses
            dnsSub = re.findall(r'\)(.+?)\(',dnsLine)
            # Join each using a period to var dnsUrl
            dnsUrl = '.'.join(dnsSub)
            # Use regex to find the IP address
            ipSub = re.findall(r'\d+\.\d+\.\d+\.\d+',dnsLine)
            ipRequest = '.'.join(ipSub)
            # Use regex to find the date
            dateSub = re.findall(r'\d+\/\d+\/\d+',dnsLine)
            date = '/'.join(dateSub)
            # Use regex to find the time
            timeSub = re.findall(r'\d+\:\d+\:\d+ .[M]',dnsLine)
            time = ':'.join(timeSub)
            # Add to dnsList for ease of use.
            dnsList.append([dnsUrl,ipRequest,date,time])

Next we’ll want to compare this against something. Let’s say you want to make sure no one is making requests to known malware. Let’s start by importing a good malware list.

import urllib.request
blackListUrl = urllib.request.urlopen('http://mirror1.malwaredomains.com/files/justdomains')
blackList = []
blackList = blackListUrl.read().decode('utf-8').splitlines()

Wow, that was a whole lot easier to parse out and get good information from.

The last thing would be to compare the two lists.

for eachDnsList in dnsList:
    for eachBlackList in blackList:
        if eachBlackList == eachDnsList[0]:
            print("Match", eachDnsList[0], " was accessed by ", eachDnsList[1])

There you have it. The full file will look like this.

import os.path
import re
import urllib.request

# Location of the DNS File
# You'll want to customize this.
scriptpath = os.path.dirname(r"\\myserver\location\dnslogs\ ")
# DNS file name
dnsFile = os.path.join(scriptpath, 'dns.log')
# Location of black list database
blackListUrl = urllib.request.urlopen('http://mirror1.malwaredomains.com/files/justdomains')

# Declare lists to be used
blackList = []
dnsList = []

# Create a list of lists from the Microsoft DNS file.
with open(dnsFile,'r') as myDnsFile:
    for dnsLine in myDnsFile:
        # Only use lines that have Snd to reduce the size of the search.
        if re.findall(r'Snd',dnsLine) == ['Snd']:
            # Use regex to parse everything between the parentheses
            dnsSub = re.findall(r'\)(.+?)\(',dnsLine)
            # Join each using a period to var dnsUrl
            dnsUrl = '.'.join(dnsSub)
            # Use regex to find the IP address
            ipSub = re.findall(r'\d+\.\d+\.\d+\.\d+',dnsLine)
            ipRequest = '.'.join(ipSub)
            # Use regex to find the date
            dateSub = re.findall(r'\d+\/\d+\/\d+',dnsLine)
            date = '/'.join(dateSub)
            # Use regex to find the time
            timeSub = re.findall(r'\d+\:\d+\:\d+ .[M]',dnsLine)
            time = ':'.join(timeSub)
            # Add to list
            dnsList.append([dnsUrl,ipRequest,date,time])

# Create a list from the black list file.
blackList = blackListUrl.read().decode('utf-8').splitlines()

# Compare both lists
for eachDnsList in dnsList:
    for eachBlackList in blackList:
        if eachBlackList == eachDnsList[0]:
            print("Match", eachDnsList[0], " was accessed by ", eachDnsList[1], " on ", eachDnsList[2], eachDnsList[3]

Tags:, ,
Posted in DNS, Python | Leave a Comment »