2018-11-01 07:21 AM
Hi I check every hour if the whois service is returning a response for google.com
Sometime between 04:14 and 005:14 UTC on 1st November 2018, the service no longer seems to be working.
I can request an auth token, but dont get any response:
./cloud-whois-bank.sh google.com
Authenticate:
curl -sk -H "Content-Type: application/json" -X POST -d "{"X-Auth-Username":"BLAH","X-Auth-Password":"BLAH"}" "https://cms.netwitness.com/authlive/authenticate/WHOIS" -D /tmp/resp_headers.yQzaET -o /dev/null
Query: /usr/bin/curl -sk -H "Content-Type: application/json" -H "X-Auth-Token: eyJpc3MiOiJMSVZFX0FVVEhFTlRJQ0FUSU9OIiwic3ViIjoiV0hPSVMiLCJhdWQiOnsiTGl2ZS1Vc2VybmFtZSI6ImJhbmtvZmVuZ2xhbmRsaXZlQGJhbmtvZmVuZ2xhbmQuY28udWsifSwiZXhwIjoxNTQxMDc0MDg3MTA3LCJhbGciOiJIbWFjU0hBMjU2In0=.IfBp2rdB4oMJOCyxo42E8925g0iI+KC3jfvW12hxd/k=" "https://cms.netwitness.com/whois/query/google.com" | tr -d '\r' | python -m json.tool
No JSON object could be decoded
[328779@HO-SA-ESA ~]$ ./cloud-whois-bank.sh google.com/usr/bin/curl -sk -H "Content-Type: application/json" -H "X-Auth-Token: eyJpc3MiOiJMSVZFX0FVVEhFTlRJQ0FUSU9OIiwic3ViIjoiV0hPSVMiLCJhdWQiOnsiTGl2ZS1Vc2VybmFtZSI6ImJhbmtvZmVuZ2xhbmRsaXZlQGJhbmtvZmVuZ2xhbmQuY28udWsifSwiZXhwIjoxNTQxMDc0MDg3MTA3LCJhbGciOiJIbWFjU0hBMjU2In0=.IfBp2rdB4oMJOCyxo42E8925g0iI+KC3jfvW12hxd/k=" "https://cms.netwitness.com/whois/query/google.com"
Can anyone confirm if the whois service is actually working for them?
2018-11-02 04:06 AM
It still seems down.....
2018-11-02 08:25 AM
We have had issues with the WHOIS service being up and down since early October and submitted a ticket Oct 11th about same issue. No resolution really ever came out of it for the issue.
Service always seemed to be up more than down, this one seems prolonged.
2018-11-02 09:32 AM
Agreed. I opened a ticket previously and was told that this would be monitored.
This was the response I got in ticket 01181735 on 14th June 2018
"The Whois service experienced issues during that time frame. Due to malfunction of the monitoring system, the issue has not been identified immediately. The SaaS team addressed the issue with Whois service, and then made sure the monitoring system monitors the service properly."
These things happen, but being down for over 24 hours without anyone doing anything is a little troubling. It is also a design flaw that I have previously highlighted, that if the WhoIS service is down the ESA should not get increasingly behind in sessions until it eventually stops.
Anyone from RSA care to comment?
2018-11-02 11:41 AM
Just had the first confirmation from RSA Support that the WhoIs service is down.
2018-11-02 12:00 PM
Its back!!!
2018-11-05 04:38 AM
I feel sorry for you that you have been trying to get answers. I've noticed , every time you've faced issues with the Whois service and asking for feedback, then it becomes clear that this is not monitored by RSA and that the phone is dead on the other end.
I would understand RSA's argument that this is a free service but if it's not reliable then it can only be used in a lab.
To PMs: In security, there is a big difference when it comes to software, you cannot use untested/unreliable/not-monitored/toy software for conducting security operations. Scoring high on Gartner is not enough to sell if customers can't trust the software and the people supporting it.
2018-11-05 04:43 AM
Not only is the fact that it is not sufficiently monitored that is disappointing, it is the fact that when it is down, the ESA seems to wait until it gets a response. This causes a backlog of sessions and the ESA quickly get behind by many millions of sessions. This then takes many hours for it to catch back up.
The ESA is a critical part of the solution as it generated alerts on suspicious activity.
I want to know that I can rely on the ATD service. How long is it acceptable for it to be down? 1 hour, 2 hours? 24 hours?
2018-11-05 05:01 AM
The fact that ESA is stopping when Whois goes down is a bug. If RSA don't want to admit and fix this and as a workaround suggest you to stop using the Whois service then they are worthy or their fate.
Monitoring a free service that an expensive paid service is depending on(not to mention that is crucial for security operations), should be a given and not having to cry for help on a forum or raise a RFE or other silly things like that.
2018-11-19 04:29 AM
Its down again. Last successful check was 04:13 on Saturday 17th November UTC