Re: DNS

• Previous message: Kayne Ian (Softlab): "RE: Account Lockout -- ARGH"
• In reply to: Tony Gordon: "Re: DNS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <focus-ms@lists.securityfocus.com>
Date: Mon, 18 Aug 2003 11:38:42 -0600

LogParser works on just about everything. The cool thing is that it
is easy to produce sorted totals and more through SQL queries. Here
is a sample query to show the top 10 most requested DNS entries from
the DNS debug log and how many times each was requested (in my debug
log the host name starts at column 53):

C:\WINNT\system32\dns>logparser -q:on "SELECT TOP 10 SUBSTR(Text,53)
AS Host, Count(Host) FROM dns.log WHERE Text LIKE 'Rcv%' GROUP BY
Host ORDER BY Count(Host) Desc"

And on the same subject, here is a query I use to parse the DNS cache
of a Windows box:

C:\>ipconfig /displaydns | logparser -q:on "SELECT Text FROM Stdin W
HERE Text NOT LIKE ' %' AND Text NOT LIKE ' -%' AND Text Is Not
Null GROUP BY Text ORDER BY Text" -rtp:-1

Mark Burnett

On Sat, 16 Aug 2003 15:37:16 -0500, Tony Gordon wrote:
>MS DNS does not log into eventlog (for what you are looking for). I
>am not sure if the logparser works on debug DNS logs. If it does
>you are all set, if not it is not that hard to parse them using
>either find or findstr commands. It is very "sensitive" to what you
>check on the "Logging" tab. Sometimes it just does not log anything
>(usually when only top portion is checked). It seems to start
>logging if one of the following is also checked, UDP, TCP or Full
>Packets. I usually check everything except Full Packets. This gets
>me almost everything and then I can parse out what I need. If I
>remember it correctly the log file is in %systemroot%\debug.
>
>Thank you, Tony. Tony Gordon, Windows 2000 MCSE tony dot gordon at
>hewitt dot com Windows Server Infrastructure Phone: 847.295.5000
>x14534 Fax: 847.295.8877 Hewitt Associates
>
>
>
>
>
>"Mark Burnett" <mb@xato.net> 08/14/2003 01:06 PM
>
>
>To: focus-ms@lists.securityfocus.com cc: Subject: Re: DNS
>
>mailto:burns@xato.net
>You could log DNS queries and then use Microsoft's LogParser tool to
>count how many queries are for windowsupdate.com and how many total
>queries are in the log file. LogParser is surprisingly fast at doing
> these types of queries.
>
>Then use MRTG to graph it all. I actually have an article going up
>at SecurityFocus today or tomorrow on how to configure MRTG using
>counter results from LogParser and other sources.
>
>
>Mark Burnett
>
>
>
>
>On Wed, 13 Aug 2003 17:41:29 -0500, Mendoza Bazan, Luis - (Per)
>wrote:
>>Hi all, I'm working with one w2k DNS server and I would like
>>monitor how many UDP query receive/s are doing to resolve
>>windowsupdate.com or other domain. W2k offers Performance Monitor
>>but the options don't permit select to monitor a specific domain. I
>>would like to use some tool that let me check how many query
>>receive/s are being done vs. the total query receive to detect
>>possible DDoS attacks. Please, send me some information about tools
>>that do this.}
>>
>>Best regards
>>
>>Luis Mendoza
>>
>>
>>
>>--------------------------------------------------------------------
>>- ------ Your network firewall and IDS products do not prevent Web
>>application attacks - the most common form of online exploitation-
>>resulting in Web defacement, data theft, sabotage and fraud. KaVaDo
>>is the only company that provides a complete suite of Web
>>application security products. Download a FREE whitepaper on
>>"Security Policy Automation for Web
>>Applications":http://www.securityfocus.com/Kavado-focus-ms
>>--------------------------------------------------------------------
>>- ------
>
>
>
>
>
>---------------------------------------------------------------------
>------ Your network firewall and IDS products do not prevent Web
>application attacks - the most common form of online exploitation-
>resulting in Web defacement, data theft, sabotage and fraud. KaVaDo
>is the only company that provides a complete suite of Web
>application security products. Download a FREE whitepaper on
>"Security Policy Automation for Web
>Applications":http://www.securityfocus.com/Kavado-focus-ms
>---------------------------------------------------------------------
>------
>
>
>
>
>
>
>
>
>
>
>---------------------------------------------------------------------
>------ Your network firewall and IDS products do not prevent Web
>application attacks - the most common form of online exploitation-
>resulting in Web defacement, data theft, sabotage and fraud. KaVaDo
>is the only company that provides a complete suite of Web
>application security products. Download a FREE whitepaper on
>"Security Policy Automation for Web
>Applications":http://www.securityfocus.com/Kavado-focus-ms
>---------------------------------------------------------------------
>------

---------------------------------------------------------------------------
KaVaDo provides the first and only integrated Web application scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
---------------------------------------------------------------------------

• Previous message: Kayne Ian (Softlab): "RE: Account Lockout -- ARGH"
• In reply to: Tony Gordon: "Re: DNS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]