NetWitness Community

I had a customer who was trying to investigate ip source and destination addresses but was having to manually do reverse DNS Lookups on each IP addresses to find out the corresponding hostname.

This was a similar situation to my post:

User Agent to Device/OS/Application

This script is only provided as a proof of concept so I would strongly recommend testing it first in a test environment. Please be aware that it will perform a large number of reverse DNS lookups.

The following script will create a feed of Reverse DNS Names producing output such as the following:

92.123.72.104,a92-123-72-104.deploy.akamaitechnologies.com

92.123.72.105,a92-123-72-105.deploy.akamaitechnologies.com

104.67.51.113,a104-67-51-113.deploy.static.akamaitechnologies.com

172.217.0.35,lga15s43-in-f3.1e100.net

188.121.36.237,n1plpkivs-v01.any.prod.ams1.secureserver.net

23.55.149.163,a23-55-149-163.deploy.static.akamaitechnologies.com

23.205.169.35,a23-205-169-35.deploy.static.akamaitechnologies.com

23.223.98.155,a23-223-98-155.deploy.static.akamaitechnologies.com

50.62.56.98,ip-50-62-56-98.ip.secureserver.net

50.62.133.237,ip-50-62-133-237.ip.secureserver.net

54.187.229.30,ec2-54-187-229-30.us-west-2.compute.amazonaws.com

54.240.190.91,server-54-240-190-91.jfk6.r.cloudfront.net

74.125.29.93,qg-in-f93.1e100.net

87.248.214.110,https-87-248-214-110.lon.llnw.net

92.123.72.89,a92-123-72-89.deploy.akamaitechnologies.com

92.123.72.97,a92-123-72-97.deploy.akamaitechnologies.com

92.123.72.103,a92-123-72-103.deploy.akamaitechnologies.com

92.123.72.111,a92-123-72-111.deploy.akamaitechnologies.com

104.69.248.249,a104-69-248-249.deploy.static.akamaitechnologies.com

104.86.110.50,a104-86-110-50.deploy.static.akamaitechnologies.com

108.60.199.109,jamie.cloud.virtualmin.com

172.217.3.14,lga15s42-in-f14.1e100.net

184.169.140.194,ec2-184-169-140-194.us-west-1.compute.amazonaws.com

198.148.79.57,labs.snort.org

202.118.1.64,ftp2.neu.edu.cn

204.79.197.200,a-0001.a-msedge.net

212.58.244.27,bbc-vip146.telhc.bbc.co.uk

212.58.244.67,bbc-vip112.telhc.bbc.co.uk

216.58.219.227,lga25s41-in-f3.1e100.net,lga25s41-in-f227.1e100.net

Where an ip address resolves to multiple domain names then the domain names are separated by commas so for example on the last line the ip address 216.58.219.227 maps to domain names lga25s41-in-f3.1e100.net,lga25s41-in-f227.1e100.net

The script is designed to be placed on a Centos 6 we bserver where it will write the feed to /var/www/html/RDNS-src.csv

It is designed to be run as a cron job.

The script looks for all source ip addresses, but can also be modified to look for destination ip addresses.

#Copy the existing Feed to a backup location

mv /var/www/html/RDNS-src.csv /var/www/html/RDNS-src.csv.bak

# We keep all IP Addresses that we have processed in /tmp/ipprocessed.txt

touch /tmp/ipprocessed.txt

# First Get a list of ip.src from our Broker.

curl -s --user 'admin:netwitness' 'http://192.168.123.249:50103/sdk?msg=values&fieldName=ip.src&size=20000' |grep field |cut -f 2 -d ">" |cut -d "<" -f1 |grep -v rsyslogd | grep -v pts |grep -v ignored |grep -v \(\) >/tmp/RDNS-src.txt

while read p; do

  cmd=$(grep -ci "$p" /tmp/ipprocessed.txt)

  escape_p=$(echo "$p" |sed 's/\[/\\[/')

  cmd2=$(grep -ci "$escape_p" /tmp/ipprocessed.txt)

  if [ $cmd == "0" ] && [ $cmd2 == "0" ]; then

    #echo  "IP SRC "$p"  not previously seen so process it"

    #echo  "$p" >>/tmp/ipprocessed.txt

    OUTPUT=$(host $p  |grep -v "not found" |grep "domain name pointer"   |cut -d" " -f 5 | rev | cut -c 2- | rev |sed -n -e 'H;${x;s/\n/,/g;s/^,//;p;}')

   if [ "$OUTPUT" != "" ]; then

    echo "$p",$OUTPUT >>/var/www/html/RDNS-src.csv

   fi

  #else

  #  echo "UserAgent already in processed"

  fi

done </tmp/RDNS-src.txt