Whois plugin is not working?


(Blason) #1

Hi Team,

I my case I tried with multiple installations but whois plugin is not working as desired. Even I test the data adapter but this does not seem to be showing the output.

Any clue why?

TIA
Blason R


(Megan) #2

Could you please post the pipeline rule you are using to create the output?


(Christoph Kirchner) #3

Do you have direct internet access or do you use a proxy to connect?


(Blason) #4

I didnt use pipeline but using decorators fro testing purpose on my DNS packetbeat eTLD and that didnt work.


(Blason) #5

Yes with Direct Internet access. Where are the codes for those plugins?


(Megan) #6

Can you please give me a “test” value that I can run against my data adapter to ensure that what you are testing with is in the lookup table in general?


(Blason) #7

Here is the test lookup and it consistently gives null value
whois


(Megan) #8

Can you try looking up 1.1.1.1?

I think there might be an issue with the plugin looking up domains. I can’t get results for domains either (had never tried before today). However I can look up 1.1.1.1 (and other IPs). The fact that a result is being returned (though null) indicates to me that the connection to the lookup table itself is working.


(Megan) #9

Based on the threat plugin repo the plugin only does IPs not domains (even though the lookup table description indicates otherwise). Poor documentation in the GUI that discusses domains and URLs but looks like IPs are the only available values for the plugin.


(Blason) #10

Ah I see and yes that has returned properly!!

Thanks for the quick help and really appreciated.


(Megan) #11

No problem! Happy to help!


(Blason) #12

However that takes me to my new problem and would appreciate if you can shed some light on this?

Sine my packetbeat is giving reply is below format stuck on how to extract IP field from below format and then query whois plugin

packetbeat_dns_answers
[{"class":"IN","data":"182.50.130.37","name":"isecurenet.in.","ttl":"599","type":"A"}]

(Jan Doberstein) #13

He @blason

I use the following rule to rewrite Packetbeat DNS Logs:

rule "rewrite raw packetbeat DNS logs"
when
  has_field("packetbeat_type") AND contains(to_string($message.packetbeat_type), "dns")
then
  // Select interesting fields and rename their keys to something more useful.
  set_field("dns_question", $message.packetbeat_dns_question_name);
  remove_field("packetbeat_dns_question_name");

  set_field("src_addr", $message.packetbeat_client_ip);
  remove_field("packetbeat_client_ip");

  set_field("dst_addr", $message.packetbeat_ip);
  remove_field("packetbeat_ip");

  set_field("dns_flags_authoritative", to_bool($message.packetbeat_dns_flags_authoritative));
  remove_field("packetbeat_dns_flags_authoritative");

  set_field("dns_flags_recursion_allowed", to_bool($message.packetbeat_dns_flags_recursion_allowed));
  remove_field("packetbeat_dns_flags_recursion_allowed");

  set_field("dns_flags_recursion_desired", to_bool($message.packetbeat_dns_flags_recursion_desired));
  remove_field("packetbeat_dns_flags_recursion_desired");

  set_field("dns_flags_truncated_response", to_bool($message.packetbeat_dns_flags_truncated_response));
  remove_field("packetbeat_dns_flags_truncated_response");

  set_field("dns_op_code", $message.packetbeat_dns_op_code);
  remove_field("packetbeat_dns_op_code");

  set_field("dns_question_class", $message.packetbeat_dns_question_class);
  remove_field("packetbeat_dns_question_class");

  set_field("dns_question_type", $message.packetbeat_dns_question_type);
  remove_field("packetbeat_dns_question_type");

  set_field("dns_response_code", $message.packetbeat_dns_response_code);
  remove_field("packetbeat_dns_response_code");

  set_field("dst_port", to_long($message.packetbeat_port));
  remove_field("packetbeat_port");

  set_field("src_port", to_long($message.packetbeat_client_port));
  remove_field("packetbeat_client_port");

  // Remove fields we don't need or want.
  remove_field("name");
  remove_field("packetbeat_bytes_in");
  remove_field("packetbeat_bytes_out");
  remove_field("packetbeat_count");
  remove_field("packetbeat_out");
  remove_field("packetbeat_dns_additionals_count");
  remove_field("packetbeat_dns_answers_count");
  remove_field("packetbeat_dns_authorities");
  remove_field("packetbeat_dns_authorities_count");
  remove_field("packetbeat_dns_id");
  remove_field("packetbeat_dns_answers");
  remove_field("packetbeat_direction");
  remove_field("packetbeat_responsetime");
  remove_field("packetbeat_error");
  remove_field("packetbeat_transport");
  remove_field("packetbeat_method");
  remove_field("packetbeat_resource");
  remove_field("packetbeat_status");
  remove_field("packetbeat_type");
  remove_field("packetbeat_query");
  remove_field("packetbeat_dns_flags_authentic_data");
  remove_field("packetbeat_dns_flags_checking_disabled");
  remove_field("packetbeat_dns_flags_recursion_available");
  remove_field("packetbeat_dns_question_etld_plus_one");
  remove_field("packetbeat_dns_additionals");
  remove_field("facility");

  // Remove trailing . if there is one
  let fix = regex("(.+?)\\.?$", to_string($message.dns_question));
  set_field("dns_question", to_string(fix["0"]));

  set_field("message", concat("DNS Query: ", to_string($message.dns_question)));
end

You might want to adjust that to your needs! But with that I then can lookup the Destination with the next rule:

rule "threatintel_packetbeat_dst_ip"
when
    // everything that looks like a DNS Query from Packetbeat
    // since other rules cut off other identifications this is the only left
    has_field("type") AND to_string($message.type) == "dns" AND NOT in_private_net(to_string($message.dst_addr)) 
then

    // lookup the DNS Question against all installed sources
    let lookup = threat_intel_lookup_ip(to_string($message.dst_addr), "dst_addr");
    set_fields(lookup);

end

Maybe the above helps you!


(system) #14

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.