Re: DNSAug 16 2003 08:37PM Tony Gordon (tony gordon hewitt com) (1 replies)
MS DNS does not log into eventlog (for what you are looking for). I am
not sure if the logparser works on debug DNS logs. If it does you are all
set, if not it is not that hard to parse them using either find or findstr
commands. It is very "sensitive" to what you check on the "Logging" tab.
Sometimes it just does not log anything (usually when only top portion is
checked). It seems to start logging if one of the following is also
checked, UDP, TCP or Full Packets. I usually check everything except Full
Packets. This gets me almost everything and then I can parse out what I
need. If I remember it correctly the log file is in %systemroot%\debug.
Thank you, Tony.
Tony Gordon, Windows 2000 MCSE
tony dot gordon at hewitt dot com
Windows Server Infrastructure
Phone: 847.295.5000 x14534
Fax: 847.295.8877
Hewitt Associates
To: focus-ms (at) lists.securityfocus (dot) com [email concealed]
cc:
Subject: Re: DNS
You could log DNS queries and then use Microsoft's LogParser tool to
count how many queries are for windowsupdate.com and how many total
queries are in the log file. LogParser is surprisingly fast at doing
these types of queries.
Then use MRTG to graph it all. I actually have an article going up at
SecurityFocus today or tomorrow on how to configure MRTG using
counter results from LogParser and other sources.
Mark Burnett
On Wed, 13 Aug 2003 17:41:29 -0500, Mendoza Bazan, Luis - (Per)
wrote:
>Hi all, I'm working with one w2k DNS server and I would like monitor
>how many UDP query receive/s are doing to resolve windowsupdate.com
>or other domain. W2k offers Performance Monitor but the options
>don't permit select to monitor a specific domain. I would like to
>use some tool that let me check how many query receive/s are being
>done vs. the total query receive to detect possible DDoS attacks.
>Please, send me some information about tools that do this.}
>
>Best regards
>
>Luis Mendoza
>
>
>---------------------------------------------------------------------
>------ Your network firewall and IDS products do not prevent Web
>application attacks - the most common form of online exploitation-
>resulting in Web defacement, data theft, sabotage and fraud. KaVaDo
>is the only company that provides a complete suite of Web
>application security products. Download a FREE whitepaper on
>"Security Policy Automation for Web
>Applications":http://www.securityfocus.com/Kavado-focus-ms
>---------------------------------------------------------------------
>------
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
not sure if the logparser works on debug DNS logs. If it does you are all
set, if not it is not that hard to parse them using either find or findstr
commands. It is very "sensitive" to what you check on the "Logging" tab.
Sometimes it just does not log anything (usually when only top portion is
checked). It seems to start logging if one of the following is also
checked, UDP, TCP or Full Packets. I usually check everything except Full
Packets. This gets me almost everything and then I can parse out what I
need. If I remember it correctly the log file is in %systemroot%\debug.
Thank you, Tony.
Tony Gordon, Windows 2000 MCSE
tony dot gordon at hewitt dot com
Windows Server Infrastructure
Phone: 847.295.5000 x14534
Fax: 847.295.8877
Hewitt Associates
"Mark Burnett" <mb (at) xato (dot) net [email concealed]>
08/14/2003 01:06 PM
To: focus-ms (at) lists.securityfocus (dot) com [email concealed]
cc:
Subject: Re: DNS
You could log DNS queries and then use Microsoft's LogParser tool to
count how many queries are for windowsupdate.com and how many total
queries are in the log file. LogParser is surprisingly fast at doing
these types of queries.
Then use MRTG to graph it all. I actually have an article going up at
SecurityFocus today or tomorrow on how to configure MRTG using
counter results from LogParser and other sources.
Mark Burnett
On Wed, 13 Aug 2003 17:41:29 -0500, Mendoza Bazan, Luis - (Per)
wrote:
>Hi all, I'm working with one w2k DNS server and I would like monitor
>how many UDP query receive/s are doing to resolve windowsupdate.com
>or other domain. W2k offers Performance Monitor but the options
>don't permit select to monitor a specific domain. I would like to
>use some tool that let me check how many query receive/s are being
>done vs. the total query receive to detect possible DDoS attacks.
>Please, send me some information about tools that do this.}
>
>Best regards
>
>Luis Mendoza
>
>
>---------------------------------------------------------------------
>------ Your network firewall and IDS products do not prevent Web
>application attacks - the most common form of online exploitation-
>resulting in Web defacement, data theft, sabotage and fraud. KaVaDo
>is the only company that provides a complete suite of Web
>application security products. Download a FREE whitepaper on
>"Security Policy Automation for Web
>Applications":http://www.securityfocus.com/Kavado-focus-ms
>---------------------------------------------------------------------
>------
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
[ reply ]