(DNSMasq)

INTEGRATION WITH WAZUH SIEM

Table of contents
Prerequisites.............................................................................................................................3
PiHole.........................................................................................................................................4
Wazuh agent deployment.................................................................................................. 4
PiHole configuration........................................................................................................... 5
Wazuh........................................................................................................................................6
Agent configuration............................................................................................................6
Wazuh Decoder....................................................................................................................8
Wazuh Rules.......................................................................................................................12
Threat Hunting...................................................................................................................14
Security Alerts................................................................................................................14
URL Filter........................................................................................................................15
Prerequisites
For the purpose of this document it’s assumed that PiHole is already deployed on a
Debian like system.

Figure 1 shows the network layout that is used in this document for reference.

Figure 1: Network layout

PiHole
Wazuh agent deployment
Use ssh to connect to your PiHole system to deploy the Wazuh Agent.

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.1-1_amd64.deb
sudo WAZUH_MANAGER='192.168.33.6' WAZUH_AGENT_GROUP='Linux' WAZUH_AGENT_NAME='PiHole' dpkg -i
./wazuh-agent_4.8.1-1_amd64.deb

sudo systemctl daemon-reload

sudo systemctl enable wazuh-agent
PiHole configuration
edit /etc/dnsmasq.d/01-pihole.conf

Comment out the log-queries line

Insert log-queries=extra instead to get more information

sudo systemctl restart pihole-FTL

Wazuh
Agent configuration

Add the following at the end of /var/ossec/etc/ossec.conf

<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/lighttpd/access-pihole.log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/pihole/pihole.log</location>
</localfile>
</ossec_config>

sudo systemctl start wazuh-agent

Check the status of the wazuh-agent to see if it’s running

systemctl status wazuh-agent

Wazuh Decoder

• Open the „Burger-Menu“ in Wazuh and navigate to

„Server management“ – „Decoders“
• Click on „Add new decoders file“
• Enter 0999-dnsmasq-decoder.xml as filename
• Add the lines listed below to the file and click Save

<!--
- DNSMasq decoder
- Author: Manuel König
- Date: 2024-07-19
-->

<!--
EXAMPLE LOGS

Jul 7 19:39:41 dnsmasq[536]: query[AAAA] video-edge-b1fd44.muc01.abs.hls.ttvnw.net from

192.168.1.185
Jul 7 19:39:44 dnsmasq[536]: query[A] video-edge-8b17e9.pdx01.abs.hls.ttvnw.net from 192.168.1.185
Jul 7 19:39:44 dnsmasq[536]: forwarded video-edge-8b17e9.pdx01.abs.hls.ttvnw.net to 208.67.222.222
Jul 7 19:39:44 dnsmasq[536]: dnssec-query[DS] ttvnw.net to 208.67.222.222
Jul 7 19:39:44 dnsmasq[536]: reply science-edge-external-prod-73889260.us-west-2.elb.amazonaws.com
is 35.162.12.228
Jul 7 20:19:36 dnsmasq[536]: gravity blocked tags.tiqcdn.com is 0.0.0.0
Jul 7 00:00:53 dnsmasq[553]: query[HTTPS] mask.icloud.com from 192.168.1.115
Jul 7 00:02:38 dnsmasq[553]: cached a1ewuiz2p7wdvw-ats.iot.us-west-2.amazonaws.com is
2620:108:700f::340a:b2a4
Jul 7 00:07:02 dnsmasq[553]: query[SVCB] _dns.resolver.arpa from 192.168.1.115

Jul 19 15:53:09 dnsmasq[536]: exactly blacklisted detectportal.firefox.com is 0.0.0.0

Jul 19 15:53:09 dnsmasq[536]: exactly blacklisted detectportal.firefox.com is ::
-->
<decoder name="dnsmasq">
<!--<type>syslog</type>
<program_name>^dnsmasq</program_name>
<program_name type="pcre2">(?i)dnsmasq\[\d+\]</program_name>-->
<prematch type="pcre2">(?i)dnsmasq\[\d+\]\:</prematch>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">(query\[A+\])\s+(\S+)\s+from\s+(\S+)</regex>
<order>type,url,srcip</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">(query\[HTTPS\])\s+(\S+)\s+from\s+(\S+)</regex>
<order>type,url,srcip</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">(query\[SVCB\])\s+(\S+)\s+from\s+(\S+)</regex>
<order>type,url,srcip</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">(forwarded)\s+(\S+)\s+to\s+(\S+)</regex>
<order>type,url,dstip</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">(dnssec-query\[DS\])\s+(\S+)\s+to\s+(\S+)</regex>
<order>type,url,dstip</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">(reply)\s+(\S+)\s+is\s+(\S+)</regex>
<order>type,url,dstip</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">(cached)\s+(\S+)\s+is\s+(\S+)</regex>
<order>type,url,dstip</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">(gravity blocked)\s+(\S+)\s+is\s+(\S+)</regex>
<order>type,url,dstip</order>
</decoder>

<!-- NEW -->

<!--
Jul 19 15:49:19 dnsmasq[536]: validation result is INSECURE
Jul 19 15:49:38 dnsmasq[536]: validation result is SECURE
Jul 19 15:45:00 dnsmasq[536]: validation result is TRUNCATED
Jul 19 14:32:35 dnsmasq[536]: validation _dns.resolver.arpa is BOGUS

Jul 19 00:12:57 dnsmasq[536]: regex blacklisted vast.livejasmin.com is 0.0.0.0

Jul 19 00:22:06 dnsmasq[536]: exactly blacklisted tsyndicate.com is NODATA
-->
<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">\s(validation)\s(\S+).is.(BOGUS)</regex>
<order>type,url,result</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">\s(validation result).is.(BOGUS|SECURE|INSECURE|
TRUNCATED)</regex>
<order>type,result</order>
</decoder>
<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">\s\S+.(blacklisted).(\S+).is.(\S+)</regex>
<order>type,url,dstip</order>
</decoder>

<!--
Decoder Extension for log-entries=extra
-->
<!--
https://dnsmasq.org/docs/dnsmasq-man.html
Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1.
If the argument "extra" is supplied, ie log-queries=extra then the log has extra information at
the start of each line.
This consists of a serial number which ties together the log lines associated with an individual
query, and the IP address of the requestor.

EXAMPLE LOGS

Jul 19 16:01:10 dnsmasq[539]: 625 192.168.1.185/60568 query[A] detectportal.firefox.com from

192.168.1.185
Jul 19 16:01:08 dnsmasq[539]: 624 192.168.1.185/51915 query[AAAA] incoming.telemetry.mozilla.org
from 192.168.1.185
Jul 19 16:19:29 dnsmasq[539]: 1285 192.168.1.185/51238 query[HTTPS] az764295.vo.msecnd.net from
192.168.1.185
Jul 19 16:02:29 dnsmasq[539]: 647 192.168.1.115/60215 query[SVCB] _dns.resolver.arpa from
192.168.1.115

Jul 19 16:19:22 dnsmasq[539]: 1283 dnssec-query[DS] twitchcdn.net to 208.67.220.220

Jul 19 16:01:07 dnsmasq[539]: 621 192.168.1.185/50749 forwarded assets.twitch.tv to 208.67.222.222
Jul 19 16:01:07 dnsmasq[539]: 622 192.168.1.185/46835 cached assets.twitch.tv is NODATA-IPv6

Jul 19 16:01:08 dnsmasq[539]: 624 192.168.1.185/51915 gravity blocked incoming.telemetry.mozilla.org

is ::
Jul 19 16:01:10 dnsmasq[539]: 625 192.168.1.185/60568 exactly blacklisted detectportal.firefox.com
is 0.0.0.0
Jul 19 16:01:10 dnsmasq[539]: 626 192.168.1.185/36638 exactly blacklisted detectportal.firefox.com
is ::

Jul 19 16:01:36 dnsmasq[539]: 627 192.168.1.96/53997 reply a1ewuiz2p7wdvw-ats.iot.us-west-

2.amazonaws.com is 52.26.205.253
Jul 19 16:01:36 dnsmasq[539]: 628 192.168.1.96/33815 reply a1ewuiz2p7wdvw-ats.iot.us-west-
2.amazonaws.com is 2620:108:700f::340d:b9a2

Jul 19 15:53:47 dnsmasq[539]: 226 192.168.1.185/55368 validation result is SECURE

Jul 19 16:01:36 dnsmasq[539]: 627 192.168.1.96/53997 validation result is INSECURE
Jul 19 15:57:05 dnsmasq[539]: 370 192.168.1.185/37858 validation result is TRUNCATED
Jul 19 16:02:29 dnsmasq[539]: 647 192.168.1.115/60215 validation _dns.resolver.arpa is BOGUS (EDE:
RRSIG missing)
-->

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">\s(\d+)\s(\S+)\/(\S+)\s(query\[A+\])\s+(\S+)\s+from\s+\
S+</regex>
<order>id,srcip,srcport,type,url</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">\s(\d+)\s(\S+)\/(\S+)\s(query\[HTTPS\])\s+(\S+)\s+from\
s+\S+</regex>
<order>id,srcip,srcport,type,url</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">\s(\d+)\s(\S+)\/(\S+)\s(query\[SVCB\])\s+(\S+)\s+from\
s+\S+</regex>
<order>id,srcip,srcport,type,url</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
 <regex type="pcre2" offset="after_parent">\s(\d+)\s(\S+)\/(\S+)\s(forwarded)\s+(\S+)\s+to\s+(\
S+)</regex>
<order>id,srcip,srcport,type,url,dstip</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">\s(\d+)\s(dnssec-query\[DS\])\s+(\S+)\s+to\s+(\S+)</
regex>
<order>id,type,url,dstip</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">\s(\d+)\s(\S+)\/(\S+)\s(reply)\s+(\S+)\s+is\s+(\S+)</
regex>
<order>id,srcip,srcport,type,url,dstip</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">\s(\d+)\s(\S+)\/(\S+)\s(cached)\s+(\S+)\s+is\s+(\S+)</
regex>
<order>id,srcip,srcport,type,url,dstip</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">\s(\d+)\s(\S+)\/(\S+)\s(gravity blocked)\s+(\S+)\s+is\s+
(\S+)</regex>
<order>id,srcip,srcport,type,url,dstip</order>
</decoder>

<!-- NEW -->

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">\s(\d+)\s(\S+)\/(\S+)\s(validation)\s(\S+).is.(BOGUS|
SECURE|INSECURE|TRUNCATED).([\S\x20]+)</regex>
<order>id,srcip,srcport,type,url,result,reason</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">\s(\d+)\s(\S+)\/(\S+)\s(validation result).is.(BOGUS|
SECURE|INSECURE|TRUNCATED)</regex>
<order>id,srcip,srcport,type,result</order>
</decoder>

<decoder name="dnsmasq-fields">
<parent>dnsmasq</parent>
<regex type="pcre2" offset="after_parent">\s(\d+)\s(\S+)\/(\S+)\s\S+.(blacklisted).(\S+).is.(\
S+)</regex>
<order>id,srcip,srcport,type,url,dstip</order>
</decoder>
Wazuh Rules

• Open the „Burger-Menu“ in Wazuh and navigate to

„Server management“ – „Rules“
• Click on „Add new rules file“
• Enter 0999-dnsmasq-rules.xml as filename
• Add the lines listed below to the file and click Save

<!--
- DNSMasq rules
- Author: Manuel König
- Date: 2024-07-19
- ID range: 99900 - 99910
-->

<group name="syslog,dnsmasq,">

<rule id="99900" level="0">

<decoded_as>dnsmasq</decoded_as>
<description>dnsmasq grouping.</description>
</rule>

<rule id="99901" level="3">

<if_sid>99900</if_sid>
<field name="type" type="pcre2">^query\[A\]</field>
<description>DNSMasq: DNS A request. Host $(srcip) requested IP of $(url)</description>
</rule>

<rule id="99902" level="3">

<if_sid>99900</if_sid>
<field name="type" type="pcre2">^query\[AAAA\]</field>
<description>DNSMasq: DNS AAAA request. Host $(srcip) requested IP of $(url)</description>
</rule>

<rule id="99903" level="3">

 <if_sid>99900</if_sid>
<field name="type" type="pcre2">^dnssec-query</field>
<description>DNSMasq: DNS-SEC request. IP of $(url) requested from DNS: $(dstip) via
DNS-SEC.</description>
</rule>

<rule id="99904" level="3">

<if_sid>99900</if_sid>
<field name="type" type="pcre2">^query\[HTTPS\]</field>
<description>DNSMasq: DNS request over HTTPS. IP of $(url) requested from DNS: $(srcip) via DNS-
SEC.</description>
</rule>

<rule id="99905" level="3">

<if_sid>99900</if_sid>
<field name="type" type="pcre2">^query\[SVCB\]</field>
<description>DNSMasq: DNS request SVCB. IP of $(url) requested from DNS: $(srcip) via DNS-
SEC.</description>
</rule>

<rule id="99906" level="3">

<if_sid>99900</if_sid>
<field name="type" type="pcre2">^forwarded</field>
<description>DNSMasq: DNS request forwarded. Request for IP of $(url) fowarded to
$(dstip).</description>
</rule>

<rule id="99907" level="3">

<if_sid>99900</if_sid>
<field name="type" type="pcre2">^reply</field>
<description>DNSMasq: DNS reply. $(url) has IP $(dstip)</description>
</rule>

<rule id="99908" level="3">

<if_sid>99900</if_sid>
<field name="type" type="pcre2">^cached</field>
<description>DNSMasq: DNS cached reply. $(url) has IP $(dstip)</description>
</rule>

<rule id="99909" level="3">

<if_sid>99900</if_sid>
<field name="type" type="pcre2">^gravity</field>
<description>DNSMasq: DNS request blocked. $(url) has IP $(dstip)</description>
</rule>

<!--
New Rule for blacklisted URLs
-->

<rule id="99910" level="3">

<if_sid>99900</if_sid>
<field name="type" type="pcre2">blacklisted</field>
<description>DNSMasq: DNS request blacklisted. $(url) has IP $(dstip)</description>
</rule>

</group>
Threat Hunting
With this basic ruleset you gain visibility about the DNS-Queries and you can filter
them. Now it’s on you to add new rules to the list and refine them so you get alerted.

Security Alerts
URL Filter