Absent Member.
Absent Member.
3820 views

SmartConnector DNS lookup

We know that SmartConnector performs DNS lookup for hostnames and IP when logs are being received, aggregated and normalized.

just wanted to find out if anyone knows whether such behavior applies for filtered-out events, too?

Labels (1)
0 Likes
8 Replies
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Hi,

based on models from:

TB3248 - Syslog Connector Performance Tuning - Girish Mantry Moehadi Liang

Arcsight Connector Name Resolver 101 - Mike Weston

It would happen in the cache (after events are flitered out) is my theory.

===

Operation highlights

How things work…

If Clear Host Names Same as IP Addresses is enabled, that is done even if name resolution is disabled

The heart of the operation looks like this (reverse things for IP to name reverse resolution):

The host name is looked up in the cache

If it is not found, it is looked up in the negative cache (if configured)

If found in the negative cache but the entry is older than the TTL, discard it and continue

If found in the negative cache and younger than the TTL, the IP address is not set (done)

If it was found, decide if it is stale (older than the TTL or twice that, depending)

If it was not found or was stale, and Wait For Resolution is enabled, do that (done)

If it was not found or was stale, and Wait For Resolution is disabled, queue the host name (done)

If the cache lookup was successful, set the IP address(es)

===

Connector_processing Model.JPG

Syslog_parsing_process.JPG

0 Likes
Absent Member.
Absent Member.

Hi Jurgen,

thanks for pointing it out. the reason for the question is that our connector is looking up a particular URL which seemed to be of malicious content. we have already found one host in the network who is infected and is attempting to perform this callback, and it has since been removed. however, we are still seeing name resolutions from the smartconnector for this particular URL and we would like to know why. our 1st suspicion was that the logs might have contained the URL in question and hence the lookup.

while it may not have directly answered my query, it was helpful in understanding how the processing of events take place in the connector. cheers!

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Hi,

have you tried filtering out the specific ip or dns name? do you still get the alerts?

According to my theory it should not create alerts.

Kind regards,

Jurgen

0 Likes
Absent Member.
Absent Member.

have yet to filter the specific ip out, unlikely we can justify for that especially when this is Production environment.

im turning on connector debugging to try find out more about this as im still seeing the name lookup performed by the connector.

0 Likes
Absent Member.
Absent Member.

DNS resolution takes place before filter out. So it applies to events potentially filtered out later in the event processing workflow

0 Likes
Absent Member.
Absent Member.

Hello Jack,

Did the any of the suggestions above assist you in any way? If so, please mark as answered; if not, let me know.

Thanks,

Jason

0 Likes
Fleet Admiral
Fleet Admiral

if we turn off dns lookup then what will happen?

Mr
0 Likes
Cadet 3rd Class Cadet 3rd Class
Cadet 3rd Class

That could also be used to detect any pharming or fastflux inside the network. Did somebody thought about this before?

I'm trying to do it. Basically I'll detect all DNS messages and add ip address and url into a list.

Now I would like to make some query which checks if this IP address is correct to the DNS (some DNS lookup). If it's not, so I would generate an alert because probably someone changed the local hosts or DNS server.

Someone knows how to do this Query?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.