SysmonForLinux icon indicating copy to clipboard operation
SysmonForLinux copied to clipboard

Published 20 hours ago verified publisher icon Sysinternals

Not log DnsQuery EventID 22

Open PoundXI opened this issue 3 years ago • 10 comments

OS: Ubuntu 20.04 Installation instruction: https://github.com/Sysinternals/SysmonForLinux/blob/main/INSTALL.md#ubuntu-1804-2004--2104

sysmon config:

<Sysmon schemaversion="4.21">
  <EventFiltering>
    <DnsQuery onmatch="exclude">
    </DnsQuery>
  </EventFiltering>
</Sysmon>

command for making dns query: ping www.google.com

checking event id: sudo cat /var/log/syslog | grep -oP "EventID>\d+<" | sort -u

result:

EventID>1<
EventID>16<
EventID>4<
EventID>5<

PoundXI avatar Dec 26 '21 10:12 PoundXI

It seems that kernel 4.19.208-1 (debian 10) and 5.10.0-6 (debian 11) are not supported at the moment

lightoyou avatar Jan 11 '22 15:01 lightoyou

SYSMONEVENT_RAWACCESS_READ seems not working too :(

lightoyou avatar Jan 11 '22 15:01 lightoyou

Yep...even on a Ubuntu 20.04 Server LTS system...it does not log anything. Considering all the other bugs (broken in RHEL systems), wrong man page (they use Windows stuff on a Linux system)...SysmonForLinux seems to be in alpha stadium ...and I don't get it why the Sysinternals team has all those "features" in it that don't work at all.

SirStephanikus avatar Nov 12 '22 11:11 SirStephanikus

@PoundXI Try without specifying the config file. Does sysmon generate any events in that scenario?

MarioHewardt avatar Jan 13 '23 23:01 MarioHewardt

@PoundXI Try without specifying the config file. Does sysmon generate any events in that scenario?

Just process create & terminate events

PoundXI avatar Jan 26 '23 15:01 PoundXI

Thanks for checking. I've tagged this as a bug for now and added to backlog.

MarioHewardt avatar Jan 26 '23 17:01 MarioHewardt

Observing same issue with sysmon 1.2.0 with some variations on debian 11.7 and ubuntu 22.04. Any way to troubleshoot?

expecting more in both case (RawAccessRead for both and file/network/service for first one):

debian11# journalctl -xeu sysmon -l --no-pager | /opt/sysmon/sysmonLogView |grep Event | sort | uniq -c | sort -nr
    630 Event SYSMONEVENT_PROCESS_TERMINATE
    370 Event SYSMONEVENT_CREATE_PROCESS
ubuntu22# journalctl -xeu sysmon -l --no-pager | /opt/sysmon/sysmonLogView |grep 'Event' | sort | uniq -c | sort -nr
     95 Event SYSMONEVENT_PROCESS_TERMINATE
     67 Event SYSMONEVENT_CREATE_PROCESS
      7 Event SYSMONEVENT_NETWORK_CONNECT
      5 Event SYSMONEVENT_FILE_DELETE
      5 Event SYSMONEVENT_FILE_CREATE
      1 Event SYSMONEVENT_SERVICE_STATE_CHANGE
      1 Event SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE

Config based on https://github.com/microsoft/MSTIC-Sysmon/tree/main/linux/configs https://github.com/juju4/ansible-sysmon/blob/main/templates/config.xml.j2

Not seeing any DNS catch in https://github.com/Sysinternals/SysmonForLinux/blob/main/sysmonforlinux.c#L848 but have SYSMONEVENT_NETWORK_CONNECT_EVENT_value and SYSMONEVENT_RAWACCESS_READ_EVENT_value

juju4 avatar Sep 02 '23 12:09 juju4

Thanks for reporting this. I've been a bit back logged but hopefully I can look into this in the next couple of weeks.

MarioHewardt avatar Sep 02 '23 22:09 MarioHewardt

Any updates on this?

0xab3d avatar Apr 02 '24 22:04 0xab3d

Hi @0xab3d - Thanks for checking in. We haven't implemented this yet as we're currently busy with other infrastructure work. I will keep everyone updated once we get to this.

MarioHewardt avatar Apr 03 '24 16:04 MarioHewardt