Christopher Ahearn

Getting to the root host of the problem

Blog Post created by Christopher Ahearn Employee on Feb 22, 2017

This came out of a separate discussion but I thought it could be helpful for others.

 

A customer was looking to write an ESA rule that essentially was doing an 'ends' against alias.host meta.  For example, 'bad.malicousdomain.com' or 'really.bad.maliciousdomain.com' could be looked for by 'maliciousdomain.com'  Things like this could actually be done on the decoder and created as meta for easy searching.

 

You could create application rules on your decoders that specifically look for the domain of interest.

 

name=maliciousdomain rule="alias.host ends 'maliciousdomain.com'" alert=alert type=application

 

Then, just have ESA look for    alert = 'maliciousdomain'  since it will already be meta at that point.

 

You could also look for the root host for any and all sessions where alias.host is populated.  I wrote a parser to help with that.  The purpose being that if I wanted to exclude any domain, I could.  This uses a custom meta key called 'root.host', so an index change on the concentrators would be needed if you wanted to query against it.  If you want to change the meta key, feel free to do so.

 

 

The parser works by performing a meta callback against 'alias.host' and then examining the location of all the dots in the hostname.  It then compares the last position against the TLD's listed in a table and then moves to the left if found.  

 

Since this is just performing a meta callback, it can work on both packet and log decoders.  Just remember that on log decoders, you would need to add the nwll.lua file.  You can download it from Live and deploy it manually.

 

Happy hunting.

 

Chris

Outcomes