2022-09-22 09:28:36 +00:00
|
|
|
-- Catch DNS traffic going to machines other than the host-configured DNS server
|
2022-09-23 13:33:44 +00:00
|
|
|
-- NOTE: This only supports IPv4 traffic due to an osquery bug with "dns_resolvers"
|
2022-09-22 09:28:36 +00:00
|
|
|
-- The non-event version is unexpected-dns-traffic.sql
|
2022-09-23 13:33:44 +00:00
|
|
|
SELECT
|
2022-09-22 09:28:36 +00:00
|
|
|
protocol,
|
|
|
|
|
s.remote_port,
|
|
|
|
|
s.remote_address,
|
|
|
|
|
p.name,
|
|
|
|
|
p.path,
|
|
|
|
|
p.cmdline AS child_cmd,
|
|
|
|
|
p.cwd,
|
|
|
|
|
s.pid,
|
|
|
|
|
p.parent AS parent_pid,
|
|
|
|
|
pp.cmdline AS parent_cmd,
|
|
|
|
|
hash.sha256,
|
2022-09-24 15:12:23 +00:00
|
|
|
CONCAT (p.name, ",", remote_address, ",", remote_port) AS exception_key
|
|
|
|
|
FROM
|
|
|
|
|
socket_events s
|
2022-09-22 09:28:36 +00:00
|
|
|
LEFT JOIN processes p ON s.pid = p.pid
|
|
|
|
|
LEFT JOIN processes pp ON p.parent = pp.pid
|
|
|
|
|
LEFT JOIN hash ON p.path = hash.path
|
2022-09-24 15:12:23 +00:00
|
|
|
WHERE
|
|
|
|
|
s.time > (strftime("%s", "now") -120)
|
2022-09-22 09:28:36 +00:00
|
|
|
AND remote_port IN (53, 5353)
|
|
|
|
|
AND remote_address NOT LIKE "%:%"
|
2022-09-23 13:33:44 +00:00
|
|
|
AND s.remote_address NOT LIKE "172.1%"
|
|
|
|
|
AND s.remote_address NOT LIKE "172.2%"
|
|
|
|
|
AND s.remote_address NOT LIKE "172.30.%"
|
|
|
|
|
AND s.remote_address NOT LIKE "172.31.%"
|
|
|
|
|
AND s.remote_address NOT LIKE "10.%"
|
|
|
|
|
AND s.remote_address NOT LIKE "192.168.%"
|
|
|
|
|
AND s.remote_address NOT LIKE "127.%"
|
2022-09-22 09:28:36 +00:00
|
|
|
AND remote_address NOT IN (
|
2022-09-24 15:12:23 +00:00
|
|
|
SELECT DISTINCT
|
|
|
|
|
address
|
|
|
|
|
FROM
|
|
|
|
|
dns_resolvers
|
|
|
|
|
WHERE
|
|
|
|
|
type = "nameserver"
|
2022-09-23 13:33:44 +00:00
|
|
|
and address != ""
|
2022-09-22 09:28:36 +00:00
|
|
|
)
|
|
|
|
|
-- systemd-resolve sometimes shows up this way
|
|
|
|
|
-- If we could narrow this down using "sys_resolvers" I would, but it is misuse of GROUP_CONCAT
|
2022-09-24 15:12:23 +00:00
|
|
|
AND NOT (
|
|
|
|
|
s.pid = -1
|
|
|
|
|
AND s.remote_port = 53
|
|
|
|
|
and p.parent = ""
|
|
|
|
|
)
|
2022-09-22 23:35:24 +00:00
|
|
|
-- Some applications hard-code a safe DNS resolver, or allow the user to configure one
|
|
|
|
|
AND s.remote_address NOT IN (
|
2022-09-23 13:33:44 +00:00
|
|
|
"1.1.1.1", -- Cloudflare
|
2022-09-24 15:12:23 +00:00
|
|
|
"8.8.8.8", -- Google
|
|
|
|
|
"8.8.4.4", -- Google (backup)
|
2022-09-23 13:33:44 +00:00
|
|
|
"208.67.222.222", -- OpenDNS
|
|
|
|
|
"75.75.75.75" -- Comcast
|
2022-09-22 23:35:24 +00:00
|
|
|
)
|
2022-09-23 13:33:44 +00:00
|
|
|
-- Exceptions that specifically talk to one server
|
2022-09-24 15:12:23 +00:00
|
|
|
AND exception_key NOT IN ("nessusd,50.16.123.71,53", "coredns,0.0.0.0,53")
|
2022-09-23 13:33:44 +00:00
|
|
|
-- Local DNS servers and custom clients go here
|
2022-09-24 15:12:23 +00:00
|
|
|
AND p.path NOT IN ("/usr/lib/systemd/systemd-resolved")
|
2022-09-23 13:33:44 +00:00
|
|
|
AND p.path NOT LIKE "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper"
|
2022-09-24 15:12:23 +00:00
|
|
|
-- Workaround for the GROUP_CONCAT subselect adding a blank ent
|
|
|
|
|
GROUP BY
|
|
|
|
|
s.remote_address,
|
2022-09-22 09:28:36 +00:00
|
|
|
s.remote_port
|
2022-09-24 15:12:23 +00:00
|
|
|
HAVING
|
|
|
|
|
remote_address != ""
|
