AnsweredAssumed Answered

ESA Rule to Detect DNS Exfiltration

Question asked by David Waugh Employee on Feb 8, 2016
Latest reply on Feb 12, 2016 by David Waugh

The following is a sample ESA Rule to detect when a large amount of data is going to a destination. Its meant as an example and there are probably other better ways of doing this.

 

The two rules below:

  1. Keeps a track of the number of transmitted bytes from a client going to a destination and adds them up
  2. Only counts up the bytes if the client has made a DNS request in the last two minutes, or if a packet has been sent to the destination in the last two minutes. If a client has not made a request in the last two minutes then we reset the total for this client. This reduces the memory usage of the rule on ESA.
  3. Puts detected ip_src into a watchlist and then alerts on future DNS traffic from this client once the threshold have been met.
  4. Puts detected ip_dst into a watchlist and then alerts on future DNS traffic going to this destination once the threshold has been met.
  5. Only look at the size of the DNS packets and don't make assumptions on which part of the DNS Packet is used to exfiltrate the information.

 

Here are the two rules to paste into the Query Section of an advanced rule. To detect slower exfiltatrion increase the time between DNS packets from a source from 120 seconds upwards. Please note though, that the higher the value the more memory will be used and potentially more false positives could be created.

 

Further improvements could be:

  1. Only looking at DNS traffic that matches risk.suspicious meta
  2. Incorporating whitelists of known trusted DNS Servers

 

Rule to Detect over 5MB of traffic going to an IP Address over DNS with at most 120 Seconds between packets

 

module Module_6f32d5a7_da8e_45a4_b918_e57d9d718ead;

 

create window DNSsum3.win:time(86400 seconds) as select ip_dst, txbytes,esa_time from Event; //86400 seconds

// Create a Sliding window of 24 hours

 

// When an Event Arrives Update our DNSSum3 Windows with the current values

on Event(service =53 AND ip_dst is not NULL AND txbytes is not NULL  ) as myevent

merge DNSsum3 dns

where dns.ip_dst=myevent.ip_dst

when matched

   then update set txbytes = txbytes +myevent.txbytes, esa_time=myevent.esa_time

when not matched

   then insert select ip_dst,txbytes,esa_time;

 

//If the Last Time we had an event for a particular IP Dest was longer than  a certain period of time ago then we delete that record from the table. In this case the period of time is 120000 milliseconds =120 seconds

 

on Event(service =53 AND ip_dst is not NULL AND txbytes is not NULL  ) as myevent

delete from DNSsum3 dns

where dns.esa_time +120000 < myevent.esa_time ;

 

create window DNSWatchlist3.win:time(60 seconds) as select ip_dst from DNSsum3;

insert into DNSWatchlist3(ip_dst) select ip_dst from DNSsum3 group by ip_dst having sum(txbytes)>5000000;

     

        @Name('Module_6f32d5a7_da8e_45a4_b918_e57d9d718ead_Alert')

        @Description('')

        @RSAAlert(oneInSeconds=0)

        @RSAPersist

 

select * from  Event(service =53 AND ip_dst is not NULL AND txbytes is not NULL AND ip_dst IN (select ip_dst FROM DNSWatchlist3)).std:groupwin(ip_dst).win:time(60 seconds).std:firstunique(ip_dst) retain-intersection ;    

                 

;

 

Rule to Detect over 5MB of traffic going from an IP Address over DNS with at most 120 Seconds between packets

 

module Module_6f32d5a7_da8e_45a4_b918_e57d9d718eac;

 

 

create window DNSsum2.win:time(86400 seconds) as select ip_src, txbytes,esa_time from Event; //86400 seconds

// Create a Sliding window of 24 hours

 

 

// When an Event Arrives Update our DNSSum2 Windows with the current values

on Event(service =53 AND ip_src is not NULL AND txbytes is not NULL  ) as myevent

merge DNSsum2 dns

where dns.ip_src=myevent.ip_src

when matched

   then update set txbytes = txbytes +myevent.txbytes, esa_time=myevent.esa_time

when not matched

   then insert select ip_src,txbytes,esa_time;

 

 

//If the Last Time we had an event for a particular IP Source was longer than  a certain period of time ago then we delete that record from the table. In this case the period of time is 120000 milliseconds = 60 seconds

 

 

on Event(service =53 AND ip_src is not NULL AND txbytes is not NULL  ) as myevent

delete from DNSsum2 dns

where dns.esa_time +120000 < myevent.esa_time ;

 

create window DNSWatchlist2.win:time(60 seconds) as select ip_src from DNSsum2;

insert into DNSWatchlist2(ip_src) select ip_src from DNSsum2 group by ip_src having sum(txbytes)>5000000;

     

        @Name('Module_6f32d5a7_da8e_45a4_b918_e57d9d718eac_Alert')

        @Description('')

        @RSAAlert(oneInSeconds=0)

        @RSAPersist

 

 

select * from  Event(service =53 AND ip_src is not NULL AND txbytes is not NULL AND ip_src IN (select ip_src FROM DNSWatchlist2)).std:groupwin(ip_src).win:time(60 seconds).std:firstunique(ip_src) retain-intersection ;    

                 

Outcomes