With the Logstash Lines series, we're keeping you up to date with all that's new in Logstash, from the details of pull requests to learning resources.

<html><head></head><body><p> Welcome to <em>Logstash Lines</em>! With these weekly series, we&apos;re keeping you up to date with what&apos;s new in Logstash, including the latest commits and releases.
</p><p>Did you know that <a href="https://www.elastic.co/downloads/logstash">Logstash 6.2</a> is already available? Try it and let us know what you think.
</p><h3></h3><h3>Connecting multiple Logstash pipelines</h3><p>The Pipeline Input/Output has landed, and will be part of 6.3.0! In <a href="https://github.com/elastic/logstash/pull/9225">#9225</a>. Users will finally be able to easily connect pipelines on a local Logstash instance in an efficient way. You can check out the documentation for the feature <a href="https://www.elastic.co/guide/en/logstash/master/pipeline-to-pipeline.html">here</a>.
</p><h3>In-progress: Javafication</h3><p>The conversion of features to Java continues. This week we ported the&#xA0;output <a href="https://github.com/elastic/logstash/pull/9340">#9340</a> and filter <a href="https://github.com/elastic/logstash/pull/9380">#9380</a> delegators to Java.
</p><h3>Documentation<br></h3><p>Changes in master:
</p><ul>
	<li>Add file names to list of LS config files <a href="https://github.com/elastic/logstash/pull/9321" target="_blank">#9321</a><br>
	<ul>
		<li>Added pipelines.yml and log4j2.properties&#xA0;to list of Logstash config files.</li>
	</ul>
	<ul>
		<li><a href="https://www.elastic.co/guide/en/logstash/master/config-setting-files.html" target="_blank">https://www.elastic.co/guide/en/logstash/master/config-setting-files.html</a></li>
	</ul></li>
	<li>Remove LS_HEAP_SIZE and reference JVM.options instead <a href="https://github.com/elastic/logstash/pull/9335" target="_blank">#9335</a></li>
</ul><p>Changes in 6.0:
</p><ul>
	<li>Backport: Add pipelines.yml and log4j2.properties to config file list <a href="https://github.com/elastic/logstash/pull/9348" target="_blank">#9348</a></li>
	<li>Backport: LS_HEAP_SIZE and jvm.options fix <a href="https://github.com/elastic/logstash/pull/9344" target="_blank">#9344</a></li>
</ul><p>Changes in 5.6:
</p><ul>
	<li>Backport: Add conditional coding to set correct default for codec <a href="https://github.com/elastic/Logstash/pull/9363">#9363</a></li>
</ul><p><span></span>
</p><h3>All changes</h3><h4>Logstash core</h4><ul>
	<li>Ensure path consistency: <a href="https://github.com/elastic/logstash/pull/9367">#9367</a></li>
	<li>Fixed PQ encoding issues: <a href="https://github.com/elastic/logstash/pull/9307">#9307</a></li>
	<li>Correctly handle duplicate hash key error message: <a href="https://github.com/elastic/logstash/pull/9343">#9343</a></li>
	<li>Improve error messaging for NOEXEC tmp directories: <a href="https://github.com/elastic/logstash/pull/9293">#9293</a></li>
</ul><h4>Logstash integrations</h4><span id="docs-internal-guid-10a6a2bc-d5a5-44b4-fe24-eb40199a5b03"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" rel="line-height:1.38;margin-top:0pt;margin-bottom:0pt;">logstash-codec-netflow - 3.12.0
</p></span><ul>
	<li>Added support for IPFIX from Procera/NetIntact/Sandvine 15.1</li>
</ul><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;">logstash-input-beats - 5.0.14
</p><ul>
	<li dir="ltr">Update jackson deps to 2.9.5</li>
</ul><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;">logstash-input-beats - 3.1.31
</p><ul>
	<li dir="ltr">Update jackson deps to 2.9.5</li>
</ul><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;">logstash-input-google_pubsub - 1.0.6
</p><ul>
	<li dir="ltr">Ignore acknowledge requests with an empty array of IDs. Fixes <a href="https://github.com/logstash-plugins/logstash-input-google_pubsub/issues/14">#14</a></li>
</ul><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;">logstash-input-jmx - 3.0.6
</p><ul>
	<li dir="ltr">Fix documentation issue (correct subheading format)</li>
</ul></body></html>

blog-logstash-banner.jpg

blog-logstash-thumb.jpg

Logstash Lines: Pipeline Input and Output

With the Brewing in Beats series, we're keeping you up to date with all that's new in Beats, from the details of pull requests to learning resources.

<html><head></head><body><p>Welcome to <em> Brewing in Beats</em>! With these weekly series, we&apos;re keeping you up to date with what&apos;s new in Beats, including the latest commits and releases.<br>
</p><p>Did you know that <a href="https://www.elastic.co/downloads/beats">Beats 6.2</a>&#xA0;is already available? Try it and let us know what you think. If you are curious to see the Beats in action, check out&#xA0;the <a href="https://www.elastic.co/webinars/beats-lightweight-shippers-for-all-kinds-of-data">Getting Started with Beats webinar</a>.
</p><h3>Heartbeat HTTP body validation<br></h3><p><a href="https://www.elastic.co/products/beats/heartbeat">Heartbeat</a> can now validate that HTTP response bodies match a regular expression. Michael Russell of the Elastic Infrastructure team contributed the enhancement in <a href="https://github.com/elastic/beats/pull/6539">#6539</a>. Prior to this change, if you wanted to check the response content you had to specify the exact body. But with responses being generated by an HTTP endpoint the output is often not always the same.&#xA0;This new feature will be available in 6.3.
</p><h3>Rename fields with a Beat processor</h3><p>A <a href="https://www.elastic.co/guide/en/beats/metricbeat/master/rename-fields.html">new processor</a> has been added in <a href="https://github.com/elastic/beats/pull/6292">#6292</a> for renaming fields in an event. This is useful for modifying events that would result in an Elasticsearch error at ingest time. For example you cannot ingest an event like {&quot;c&quot;: 1, &quot;c.b&quot;: 2} because the value of c cannot simultaneously be a scalar and an object. The processor can be used to rename the key c to c.value.&#xA0;This new feature will be available in 6.3.
</p><h3>Filebeat updates ingest pipelines on setup</h3><p>The <code>filebeat setup</code> command will now update ingest pipelines used by Filebeat modules. Users that modify a module or its configuration now have an easy way to update the ingest pipeline definition stored in Elasticsearch. This also provides users with a way to load ingest pipelines before starting Filebeat. Checkout the details in <a href="https://github.com/elastic/beats/pull/6814">#6814</a>.&#xA0;This new feature will be available in 6.3.
</p><h3>Fixed: Filebeat memory leak</h3><p>If a harvester for tailing a log file failed during its initial setup phase due to an I/O error then a goroutine and some internal state were leaked. A fix for this leak was merged in <a href="https://github.com/elastic/beats/pull/6829">#6829</a>.
</p><h3>Documentation</h3><p>Changes in master:
</p><ul>
	<li>Update haproxy.asciidoc <a href="https://github.com/elastic/beats/pull/6869">#6869</a></li>
	<li>Document role required to load dashboards <a href="https://github.com/elastic/beats/pull/6849">#6849</a></li>
	<li><a href="https://github.com/elastic/beats/pull/6841"></a>Expose the `keystore.path` in the YAML configuration <a href="https://github.com/elastic/beats/pull/6805">#6805</a></li>
</ul><h3>All changes</h3><h4>Repository: elastic/beats</h4><h5>Metricbeat<br></h5><p>Changes in master:
</p><ul>
	<li>Kubernetes deployment: Add ServiceAccount config to system metricbeat.&#xA0;<a href="https://github.com/elastic/beats/pull/6824"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">#6824</span></a></li>
	<li>Remove duplicated filesystems in system module&#xA0;<a href="https://github.com/elastic/beats/pull/6819"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">#6819</span></a></li>
	<li>Improvements in docker diskio metricset&#xA0;<span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://github.com/elastic/beats/pull/6701">#6701</a></span></li>
</ul><h5>Filebeat</h5><p>Changes in master:
</p><ul>
	<li>Fix memory leak in log harvester (#6797)&#xA0;<a href="https://github.com/elastic/beats/pull/6829"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">#6829</span></a></li>
	<li>Add ingest pipeline loading to filebeat setup&#xA0;<a href="https://github.com/elastic/beats/pull/6814"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">#6814</span></a></li>
	<li>Fix godoc on registrar gcStates&#xA0;<a href="https://github.com/elastic/beats/pull/6806"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">#6806</span></a></li>
	<li>Add new MongoDB module&#xA0;<span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://github.com/elastic/beats/pull/6283">#6283</a></span></li>
</ul><p>Changes in 6.2:
</p><ul>
	<li>Defer registry state cleanup <span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://github.com/elastic/beats/pull/6347">#6347</a></span></li>
</ul><h5>Heartbeat</h5><p>Changes in master:
</p><ul>
	<li dir="ltr"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">Use match.Matcher for checking Heartbeat response bodies </span><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://github.com/elastic/beats/pull/6539">#6539</a></span></li>
</ul><h5>Processors</h5><p>Changes in master:
</p><ul>
	<li dir="ltr"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">Add rename fields processor </span><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://github.com/elastic/beats/pull/6292">#6292</a></span></li>
	<li dir="ltr"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">Rename host.hostname to host.name in add_host_metadata processor </span><a href="https://github.com/elastic/beats/pull/6752"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">#6752</span></a></li>
</ul><h5>Testing</h5><p>Changes in master:
</p><ul>
	<li dir="ltr"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">Revert docker-compose in Travis CI to version 1.11.1 </span><a href="https://github.com/elastic/beats/pull/6863"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">#6863</span></a></li>
	<li dir="ltr"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">Print container logs when compose up fails in tests </span><a href="https://github.com/elastic/beats/pull/6847"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">#6847</span></a></li>
	<li dir="ltr"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">Speed up system tests by caching YAML output </span><a href="https://github.com/elastic/beats/pull/6838"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">#6838</span></a></li>
	<li dir="ltr"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">Remove version from docker-compose project name </span><a href="https://github.com/elastic/beats/pull/6833"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">#6833</span></a></li>
	<li dir="ltr"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">Simplify system tests for Elasticsearch </span><a href="https://github.com/elastic/beats/pull/6826"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">#6826</span></a></li>
	<li dir="ltr"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">Allow system tests to be run from any directory </span><a href="https://github.com/elastic/beats/pull/6825"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">#6825</span></a></li>
	<li dir="ltr"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">Fix flaky windows diskio tests </span><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://github.com/elastic/beats/pull/6778">#6778</a></span></li>
</ul></body></html>

blog-beats-banner.jpg

blog-beats-thumb.jpg

Brewing in Beats: Heartbeat HTTP Body Validation

Auditbeat is a new Beat in 6.0. It audits the activities of users and processes. It collects Linux audit logs (similar to auditd) and monitors file integrity.

audit-letters-full-bleed.jpg

audit-clipboard-cc.jpg

Introducing Auditbeat: Ship Linux Audit Logs to Elasticsearch and More

Using Metricbeat to collect container metrics using Linux cgroups.

container-loading-small.jpg

container-ship-rena-small.jpg

Monitoring Container Resource Usage with Metricbeat

How to use the Winlogbeat and Kibana to visualize logon events from Windows event logs.

winlogbeat-rdp-map-full-bleed.jpg

winlogbeat-account-usage-dashboard.jpg

Monitoring Windows Logons with Winlogbeat

Using Packetbeat with Elasticsearch and Watcher to detect DNS tunnels.

<html><head></head><body><p><strong>Updated January 12, 2017:</strong> This post was updated to reflect changes in Packetbeat 5.x and Elasticsearch 5.x.
</p>


<p>Data observed from monitoring DNS traffic on a network can be used as an
indicator of compromise (IOC). This blog post will discuss how Elasticsearch and
Watcher can be used with Packetbeat to alert when possible malware activity is
detected.
</p>
<p><a href="/products/beats/packetbeat"><em>Packetbeat</em></a> is our open
source packet analyzer. It monitors the traffic on your network and indexes the
DNS requests and responses into Elasticsearch where aggregations can be used to
help make sense of the data.
</p>
<p><a href="/products/x-pack/alerting"><em>Alerting</em></a> (formerly <em>Watcher</em>)
is part of 
	<a href="/products/x-pack">X-Pack</a> and it provides alerting and
notifications based on changes in your data.
</p>
<p>There are many use cases for alerting on data collected by Packetbeat such as
alerting when the response times for web requests are above a threshold or when
there is spike in HTTP errors returned by your web servers. The alerting
described in this article has applications in network security. We are going to
look at one specific use case -- detecting data exfiltration over DNS tunnels.
</p>
<h2>Detecting DNS Tunnels</h2>
<p>Tunnels can be established over the DNS protocol to covertly move data or
provide a command and control channel for malware. Often this technique is used
to bypass the protections of corporate firewalls and proxy servers. Tunneling
works by encoding data in DNS requests and responses. The client issues a query
for a hostname and that query is eventually forwarded to the authoritative name
server associated with the domain.
</p>
<p><img src="https://api.contentstack.io/v2/assets/575e4d2d58208ba076e29b7d/download?uid=bltf505dadaa68339b8" data-sys-asset-uid="bltf505dadaa68339b8" alt="Packetbeat Deployment Architecture">
</p>
<p>There are a lot of different techniques that can be employed for detecting
such traffic. We are going to look at using the number of unique hostnames for a
domain as an IOC. DNS tunneling utilities must use a new hostname for each
request which leads to a much higher number of hostnames present for the
malicious domains in comparison to legitimate domains.
</p>
<h2>Packetbeat Setup</h2>
<p>The first step is to install Packetbeat and configure it to collect DNS
traffic. For this setup, the server running Packetbeat is connected to a port
mirror so that Packetbeat can observe all the traffic between the local network
and the Internet. The Packetbeat documentation has a great 
	<a href="/guide/en/beats/packetbeat/current/packetbeat-getting-started.html">Getting
Started guide
	</a> that explains installation and setup procedure, so I will just
show the configuration used.
</p>
<pre class="prettyprint"># /etc/packetbeat/packetbeat.yml
packetbeat.interfaces.device: en0
packetbeat.protocols.dns:
  ports: [53]
  include_authorities: true
  include_additionals: true
output.elasticsearch:
  hosts: [&quot;localhost:9200&quot;]
</pre>
<h2>Watch your DNS Traffic</h2>
<p>The complete
	<a href="https://github.com/elastic/examples/blob/master/Security%20Analytics/dns_tunnel_detection/unique_hostnames_watch.json">
	watch file</a> is stored in our
	<a href="https://github.com/elastic/examples/tree/master/Security%20Analytics/dns_tunnel_detection">elastic/examples</a>
	repository along with all of the supporting files shown here. We are going to
walk through the creation of this watch step-by-step.
</p>
<h2>Watch Trigger</h2>
<p>The watch trigger specifies when the execution should start. This watch is
scheduled to execute every 15 minutes.
</p>
<pre class="prettyprint">      &quot;trigger&quot;: {
         &quot;schedule&quot;: {
            &quot;interval&quot;: &quot;15m&quot;
         }
      },
</pre>
<h2>Watch Input</h2>
<p>This first step in creating this watch is to design a set of aggregations to
be used as the input to the watch. We want to find the cardinality of the
hostnames associated with each second-level domain
(e.g. 
	<code>badguy.co.</code>).
</p>
<p>We start with a query that has just two components, a time window and a
whitelist. The time window and whitelist can be customized. Find more on this in
the 
	<a href="#tuning">Tuning the Detector</a> section.
</p>
<p>Next we use a terms aggregation to create buckets for each second-level
domain. Then we apply a sub-aggregation to get the cardinality of the hostnames
within that bucket. Finally we apply a bucket selector aggregation to select
only the buckets having more than 200 unique hostnames. The watch will generate
an alert when the number of unique hostnames breaks this threshold.
</p>
<pre class="prettyprint">GET packetbeat-*/dns/_search
{
  &quot;query&quot;: {
    &quot;bool&quot;: {
      &quot;filter&quot;: {
        &quot;range&quot;: {
          &quot;@timestamp&quot;: {
            &quot;from&quot;: &quot;now-4h&quot;
          }
        }
      },
      &quot;must_not&quot;: {
        &quot;terms&quot;: {
          &quot;dns.question.etld_plus_one&quot;: [
            &quot;akadns.net.&quot;,
            &quot;amazonaws.com.&quot;,
            &quot;apple.com.&quot;,
            &quot;apple-dns.net.&quot;,
            &quot;cloudfront.net.&quot;,
            &quot;icloud.com.&quot;,
            &quot;in-addr.arpa.&quot;,
            &quot;google.com.&quot;,
            &quot;yahoo.com.&quot;
          ]
        }
      }
    }
  },
  &quot;size&quot;: 0,
  &quot;aggs&quot;: {
    &quot;by_domain&quot;: {
      &quot;terms&quot;: {
        &quot;size&quot;: 1000,
        &quot;field&quot;: &quot;dns.question.etld_plus_one&quot;
      },
      &quot;aggs&quot;: {
        &quot;unique_hostnames&quot;: {
          &quot;cardinality&quot;: {
            &quot;field&quot;: &quot;dns.question.name&quot;
          }
        },
        &quot;total_bytes_in&quot;: {
          &quot;sum&quot;: {
            &quot;field&quot;: &quot;bytes_in&quot;
          }
        },
        &quot;total_bytes_out&quot;: {
          &quot;sum&quot;: {
            &quot;field&quot;: &quot;bytes_out&quot;
          }
        },
        &quot;high_num_hostnames&quot;: {
          &quot;bucket_selector&quot;: {
            &quot;buckets_path&quot;: {
              &quot;unique_hostnames&quot;: &quot;unique_hostnames&quot;
            },
            &quot;script&quot;: &quot;params.unique_hostnames &gt; 200&quot;
          }
        }
      }
    }
  }
}
</pre>
<p>The query above relies on the <code>dns.question.etld_plus_one</code> field provided
by Packetbeat 5.x to bucket all requests for a single domain. Packetbeat
creates this field using an embedded copy of the 
	<a href="https://publicsuffix.org/">
	Public Suffix List</a>.
</p>
<h2>Watch Condition</h2>
<p>The watch condition is what determines if an alert is triggered. The
condition here is simple. This says that if any buckets were returned then
trigger the alert.
</p>
<pre class="prettyprint">      &quot;condition&quot;: {
         &quot;script&quot;: {
            &quot;inline&quot;: &quot;ctx.payload.aggregations.by_domain.buckets.size() &gt; 0&quot;
         }
      },
</pre>
<h2>Watch Actions</h2>
<p>The watch actions are executed after the condition is met, and define the
&quot;output&quot; of a watch. For this watch we are sending an email and also writing a
message to the Elasticsearch log. A&#xA0;
	<em>transform</em>&#xA0;script is being
used to manipulate the data so that it renders better in an email.
</p>
<pre class="prettyprint">        &quot;transform&quot;: {
           &quot;script&quot;: {
              &quot;file&quot;: &quot;dns_transform&quot;
           }
        },
        &quot;actions&quot;: {
           &quot;log_domains&quot;: {
              &quot;logging&quot;: {
                 &quot;text&quot;: &quot;The following domain(s) have a high number of unique hostnames: {{ctx.payload.alerts}}&quot;
              }
           },
           &quot;email_alert&quot; : {
            &quot;email&quot;: {
              &quot;to&quot;: &quot;&apos;John Doe &lt;john.doe@example.com&gt;&apos;&quot;,
              &quot;subject&quot;: &quot;Suspected DNS Tunnel Alert&quot;,
              &quot;body&quot;: &quot;The following domain(s) have a high number of unique hostnames: {{ctx.payload.alerts}}&quot;
            }
          }
        }
</pre>
<p>Below is the dns_transform Painless script. It should be placed into the
config/scripts directory of Elasticsearch.
</p>
<pre class="prettyprint">// File: config/scripts/dns_transform.painless
def alerts = ctx.payload.aggregations.by_domain.buckets.stream().collect(Collectors.toMap(p-&gt;p.key,item-&gt;[
        &quot;total_requests&quot; : item.doc_count,
        &quot;unique_hostnames&quot; : item.unique_hostnames.value,
        &quot;total_bytes_in&quot; : item.total_bytes_in.value,
        &quot;total_bytes_out&quot; : item.total_bytes_out.value,
        &quot;total_bytes&quot; : item.total_bytes_in.value + item.total_bytes_out.value
]));
return [&quot;alerts&quot;:alerts];
</pre>
<p>Here is a sample alert. Notice it contains a some additional metrics that can
be used to gauge the severity of the situation.
</p>
<pre class="prettyprint">Date: Fri, 16 Feb 2016 11:00:01 -0500 (EST)
From: Watcher &lt;watcher@example.com&gt;
Message-Id: &lt;201602161600.u0SG01ks024814@example.com&gt;
To: John Doe &lt;john.doe@example.com&gt;
Subject: Suspected DNS Tunnel Alert
The following domain(s) have a high number of unique hostnames:
{badguy.co.={total_requests=222, unique_hostnames=222, total_bytes_in=16716.0,
total_bytes_out=35161.0, total_bytes=51877.0}}
</pre>
<p>When this alert is received, the recipient can take the domain and do a
search using the Discover application in Kibana to find the network clients
responsible for the tunnel.
</p>
<h2>Testing and Results</h2>
<p><img src="https://api.contentstack.io/v2/assets/575e4d2dd8edd48f7693791e/download?uid=blt8aad375573dc7783" data-sys-asset-uid="blt8aad375573dc7783" alt="Unique FQDNs per Second Level Domain">
</p>
<p>This chart shows the top ten domains with the highest number of unique
hostnames over a period of 4 hours. This data was collected from a network with
about 100 devices. During that time window I replayed a network capture
containing a tunnel created by&#xA0;
	<a href="http://code.kryo.se/iodine/">iodine</a>. The tunnel which is operating
under the fictitious domain&#xA0;
	<code>pirate.sea</code>&#xA0;was up for just 20
seconds, and yet it has the highest number of domains.
</p>
<p>If the whitelist from the watch is applied then the tunnel really stands out
among the other domains as seen below.
</p>
<p><img src="https://api.contentstack.io/v2/assets/575e4d2d12798d8e381ff0be/download?uid=bltf1e4c3e0ba99f734" data-sys-asset-uid="bltf1e4c3e0ba99f734" alt="Unique FQDNs per Second Level Domain with Whitelist">
</p>
<h2 id="tuning">Tuning the Detector</h2>
<p>There are two variables that can be tuned -- the time window and the unique
hostnames threshold. A smaller time window can be used with a smaller threshold
to make the watch more sensitive to short duration tunnels. In a shorter time
window, domains not being used for tunneling will generally accumulate fewer
unique hostnames.
</p>
<p>Tunnels that move data slowly can be detected using a larger time window. But
using a larger time window means that valid domains with a lot of unique
hostnames, such as CDNs, will cause false positives. So if you use a large time
window you will likely need to add domains to the query&apos;s whitelist.
</p>
<h2>Conclusion</h2>
<p>It was fun combining Packetbeat and Watcher to look for DNS tunnels. Remember
&quot;defense in depth&quot; if you implement a solution like this. It is important to
layer your defenses so that if one layer fails there is another one in place to
detect.
</p></body></html>

Articles by Andrew Kroh

Logstash Lines: Pipeline Input and Output

Brewing in Beats: Heartbeat HTTP Body Validation

Introducing Auditbeat: Ship Linux Audit Logs to Elasticsearch and More

Monitoring Container Resource Usage with Metricbeat

Monitoring Windows Logons with Winlogbeat

Detecting DNS Tunnels with Packetbeat and Watcher

Products & Solutions

Company

Resources

Featured topics

News

Articles by Andrew Kroh

Logstash Lines: Pipeline Input and Output

Brewing in Beats: Heartbeat HTTP Body Validation

Introducing Auditbeat: Ship Linux Audit Logs to Elasticsearch and More

Monitoring Container Resource Usage with Metricbeat

Monitoring Windows Logons with Winlogbeat

Detecting DNS Tunnels with Packetbeat and Watcher