NetWitness Community

jcarleton · ‎2014-06-17

I'm looking to parse DNS logs (query/answer) from our environment, and am wondering if there's a parser that works for this?

DNS -Verbose, and DNS_verbose_lua exist in the Live feeds, but doesn't specify _if_ it pulls from MS's dns.log. Our DNS is handled mostly by Win2008 machines.

Anonymous · ‎2014-06-17

The parsers you mention are both Network Parsers used by the SA Packet Decoder. They register meta for DNS queries based on the packet capture being performed by the Packet Decoder.

To read the DNS logs from a Windows Server you will need to use a Log Decoder (and/or Log Collector), and configure event collection for Windows events. The standard windows event parser (winevent_nic) supports Microsoft DNS logs. You may need to ensure that you include the DNS events channel for collection by the Log Collector: Configure Windows Event Sources - RSA Security Analytics Documentation

Anonymous · ‎2014-06-18

This is an old parser XML that was written for enVision (by a customer) using the ESI tool. As stated, I believe the standard windows parser will also process the DNS logs. If I recall correctly, there are issues with the way that the logs are generated - each portion of the fqdn has the number of charecters in front of it (i.e.: (9)community(3)emc(3)com )

Anonymous · ‎2015-08-08

We had to develop a lua parser to convert (9)community(3)emc(3)com ) in community.emc.com and save the result in meta alias.host.

Should be a mandatory feature for a SIEM in 2015...

Anonymous · ‎2015-08-11

Can you post that LUA? And do LUAs work for logs atm?

MassimilianoFau · ‎2015-08-13

Standard MS DNS parser do that, but save in domain instead of alias.host

https://knowledge.rsasecurity.com/scolcms/set.aspx?id=9838

NetWitness Community

MS DNS log parser?