SmartConnector DNS lookup
We know that SmartConnector performs DNS lookup for hostnames and IP when logs are being received, aggregated and normalized.
just wanted to find out if anyone knows whether such behavior applies for filtered-out events, too?
based on models from:
TB3248 - Syslog Connector Performance Tuning - Girish Mantry Moehadi Liang
Arcsight Connector Name Resolver 101 - Mike Weston
It would happen in the cache (after events are flitered out) is my theory.
How things work…
• If Clear Host Names Same as IP Addresses is enabled, that is done even if name resolution is disabled
• The heart of the operation looks like this (reverse things for IP to name reverse resolution):
– The host name is looked up in the cache
– If it is not found, it is looked up in the negative cache (if configured)
• If found in the negative cache but the entry is older than the TTL, discard it and continue
• If found in the negative cache and younger than the TTL, the IP address is not set (done)
– If it was found, decide if it is stale (older than the TTL or twice that, depending)
– If it was not found or was stale, and Wait For Resolution is enabled, do that (done)
– If it was not found or was stale, and Wait For Resolution is disabled, queue the host name (done)
– If the cache lookup was successful, set the IP address(es)
thanks for pointing it out. the reason for the question is that our connector is looking up a particular URL which seemed to be of malicious content. we have already found one host in the network who is infected and is attempting to perform this callback, and it has since been removed. however, we are still seeing name resolutions from the smartconnector for this particular URL and we would like to know why. our 1st suspicion was that the logs might have contained the URL in question and hence the lookup.
while it may not have directly answered my query, it was helpful in understanding how the processing of events take place in the connector. cheers!
have you tried filtering out the specific ip or dns name? do you still get the alerts?
According to my theory it should not create alerts.
have yet to filter the specific ip out, unlikely we can justify for that especially when this is Production environment.
im turning on connector debugging to try find out more about this as im still seeing the name lookup performed by the connector.
That could also be used to detect any pharming or fastflux inside the network. Did somebody thought about this before?
I'm trying to do it. Basically I'll detect all DNS messages and add ip address and url into a list.
Now I would like to make some query which checks if this IP address is correct to the DNS (some DNS lookup). If it's not, so I would generate an alert because probably someone changed the local hosts or DNS server.
Someone knows how to do this Query?