Share via

Sysmon network rules problem

Andre Makarov 1 Reputation point
2021-01-15T12:04:21.63+00:00

Sysmon version: 13.01
Schema version: 4.50

I added this rule:
<DestinationHostname condition="is any">"Array of server's FQDNs"</DestinationHostname>

After adding the rule, sysmon stopped recording network events at all. Length of "Array of server's FQDNs" = 255 symbols. Сould this be a problem?

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,163 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. dstaulcu 351 Reputation points
    2021-01-15T15:04:32.873+00:00

    Something does seem off about it.

    My testing has DnsLookup explicitly enabled and uses schema 4.5 and rule groups.

    With an include strategy for events of home router name only, Sysmon 13.1 still logs events associated with other DestinationHostNames

     - NetworkConnect                     onmatch: include   combine rules using 'Or'
        Compound Rule 0001   combine using And
            DestinationHostname            filter: is any       value: 'Fios_Quantum_Gateway.fios-router.home'

    With the inverse of that configuration, no events are received despite ping and web based interactions with home router management interface.

     - NetworkConnect                     onmatch: exclude   combine rules using 'Or'
        Compound Rule 0001   combine using And
            DestinationHostname            filter: is any       value: 'Fios_Quantum_Gateway.fios-router.home'

    Here is a slice of the config for developer testing:

            <RuleGroup name="" groupRelation="or">
            <NetworkConnect onmatch="exclude">
                <Rule groupRelation="and" name="">
                    <DestinationHostname condition="is any">Fios_Quantum_Gateway.fios-router.home</DestinationHostname>
                </Rule>   
            </NetworkConnect>
        </RuleGroup>
  2. Andre Makarov 1 Reputation point
    2021-01-18T10:55:53.567+00:00

    I setted up test environment (all vms are win server 2019 bulid 1809):

    1. Two vms (srv1 and srv2) with dummy http-server on 8080 port;
    2. VM (srv3) without anything special.;
    3. VM (srv4) with sysmon and test powershell script.

    Powershell scrip running on srv3 for testing: 

    while($true){
Start-Sleep -Seconds 5
Test-NetConnection -Port 8080 -ComputerName srv1 | select ComputerName, TcpTestSucceeded | ft
Test-NetConnection -Port 8080 -ComputerName srv2 | select ComputerName, TcpTestSucceeded | ft
Test-NetConnection -Port 445 -ComputerName srv3  | select ComputerName, TcpTestSucceeded | ft
}

    Sysmon config: 

    <Sysmon schemaversion="4.50">
<HashAlgorithms>sha256</HashAlgorithms>
<EventFiltering>

<RuleGroup name="ProcessCreate_In" groupRelation="or">
<ProcessCreate onmatch="include">
</ProcessCreate>
</RuleGroup>

<RuleGroup name="FileCreateTime_In" groupRelation="or">
<FileCreateTime onmatch="include">
</FileCreateTime>
</RuleGroup>

<RuleGroup name="NetworkConnect_In" groupRelation="or">
<NetworkConnect onmatch="include">
<DestinationPort condition="is">445</DestinationPort>
<DestinationPort condition="is">8080</DestinationPort>
</NetworkConnect>
</RuleGroup>

<RuleGroup name="NetworkConnect_Ex" groupRelation="or">
<NetworkConnect onmatch="exclude">
<DestinationHostname condition="is any">srv1;srv2</DestinationHostname>
</NetworkConnect>
</RuleGroup>

<RuleGroup name="ProcessTerminate_In" groupRelation="or">
<ProcessTerminate onmatch="include">
</ProcessTerminate>
</RuleGroup>

<RuleGroup name="DriverLoad_In" groupRelation="or">
<DriverLoad onmatch="include">
</DriverLoad>
</RuleGroup>

<RuleGroup name="ImageLoad_In" groupRelation="or">
<ImageLoad onmatch="include">
</ImageLoad>
</RuleGroup>

<RuleGroup name="CreateRemoteThread_In" groupRelation="or">
<CreateRemoteThread onmatch="include">
</CreateRemoteThread>
</RuleGroup>

<RuleGroup name="RawAccessRead_In" groupRelation="or">
<RawAccessRead onmatch="include">
</RawAccessRead>
</RuleGroup>

<RuleGroup name="ProcessAccess_In" groupRelation="or">
<ProcessAccess onmatch="include">
</ProcessAccess>
</RuleGroup>

<RuleGroup name="FileCreate_In" groupRelation="or">
<FileCreate onmatch="include">
</FileCreate>
</RuleGroup>

<RuleGroup name="RegistryEvent_In" groupRelation="or">
<RegistryEvent onmatch="include">
</RegistryEvent>
</RuleGroup>

<RuleGroup name="FileCreateStreamHash_In" groupRelation="or">
<FileCreateStreamHash onmatch="include">
</FileCreateStreamHash>
</RuleGroup>

<RuleGroup name="PipeEvent_In" groupRelation="or">
<PipeEvent onmatch="include">
</PipeEvent>
</RuleGroup>

<RuleGroup name="WmiEvent_In" groupRelation="or">
<WmiEvent onmatch="include">
</WmiEvent>
</RuleGroup>

<RuleGroup name="DnsQuery_In" groupRelation="or">
<DnsQuery onmatch="include">
</DnsQuery>
</RuleGroup>

<RuleGroup name="FileDelete_In" groupRelation="or">
<FileDelete onmatch="include">
</FileDelete>
</RuleGroup>

<RuleGroup name="ClipboardChange_In" groupRelation="or">
<ClipboardChange onmatch="include">
</ClipboardChange>
</RuleGroup>

<RuleGroup name="ProcessTampering_In" groupRelation="or">
<ProcessTampering onmatch="include">
</ProcessTampering>
</RuleGroup>

</EventFiltering>
</Sysmon>

    While filter <DestinationHostname condition="is any">srv1;srv2</DestinationHostname> is enabled, network events are not logged neither for srv1, srv2 or srv3. When the filter is disabled, everything is ok. I expect events to be filtered where DestinationHostname is srv1 or srv2.

    If you replace filter <DestinationHostname condition="is any">srv1;srv2</DestinationHostname> on: 

    <DestinationHostname condition="is">srv1</DestinationHostname>
<DestinationHostname condition="is">srv2</DestinationHostname>

    sysmon works as expected.

  3. Joe Doe 156 Reputation points
    2021-01-25T16:06:29.163+00:00

    Hi. I've tested this also with EventID 7. Same behaviour, even in Sysmon Version 12.01.

    This is my failing config

        <RuleGroup name="Audit_All_ImageLoad" groupRelation="or">
        <ImageLoad onmatch="include">
            <Rule name="LSASS Suspicious Set of DLLs loaded" groupRelation="and">
                <Image condition="image">C:\Temp\ADExplorer.exe</Image>
                <ImageLoaded condition="is any">C:\Windows\SysWOW64\samcli.dll;C:\Windows\SysWOW64\netapi32.dll</ImageLoaded>
            </Rule>
        </ImageLoad>
    </RuleGroup>

    With this config above every loaded DLL is audited when the Image is C:\Temp\ADExplorer.exe. This config does not respect the ImageLoaded config.

    But when you change the condition from "is any" to "contains any", it works as expected. It only audits the two mendtioned DLL loads loaded by the image.

    Can you test this behaviour in your config (Replace "is any" to "contains any")?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.