This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Is the ESA Advanced Threat Detection Who IS Service Down?

david_waugh
Beginner
Beginner

‎2018-11-01 07:21 AM

Hi I check every hour if the whois service is returning a response for google.com

 

Sometime between 04:14 and 005:14 UTC on 1st November 2018, the service no longer seems to be working.

 

I can request an auth token, but dont get any response:

 

./cloud-whois-bank.sh google.com
Authenticate:
curl -sk -H "Content-Type: application/json" -X POST -d "{"X-Auth-Username":"BLAH","X-Auth-Password":"BLAH"}" "https://cms.netwitness.com/authlive/authenticate/WHOIS" -D /tmp/resp_headers.yQzaET -o /dev/null
Query: /usr/bin/curl -sk -H "Content-Type: application/json" -H "X-Auth-Token: eyJpc3MiOiJMSVZFX0FVVEhFTlRJQ0FUSU9OIiwic3ViIjoiV0hPSVMiLCJhdWQiOnsiTGl2ZS1Vc2VybmFtZSI6ImJhbmtvZmVuZ2xhbmRsaXZlQGJhbmtvZmVuZ2xhbmQuY28udWsifSwiZXhwIjoxNTQxMDc0MDg3MTA3LCJhbGciOiJIbWFjU0hBMjU2In0=.IfBp2rdB4oMJOCyxo42E8925g0iI+KC3jfvW12hxd/k=" "https://cms.netwitness.com/whois/query/google.com" | tr -d '\r' | python -m json.tool
No JSON object could be decoded
[328779@HO-SA-ESA ~]$ ./cloud-whois-bank.sh google.com/usr/bin/curl -sk -H "Content-Type: application/json" -H "X-Auth-Token: eyJpc3MiOiJMSVZFX0FVVEhFTlRJQ0FUSU9OIiwic3ViIjoiV0hPSVMiLCJhdWQiOnsiTGl2ZS1Vc2VybmFtZSI6ImJhbmtvZmVuZ2xhbmRsaXZlQGJhbmtvZmVuZ2xhbmQuY28udWsifSwiZXhwIjoxNTQxMDc0MDg3MTA3LCJhbGciOiJIbWFjU0hBMjU2In0=.IfBp2rdB4oMJOCyxo42E8925g0iI+KC3jfvW12hxd/k=" "https://cms.netwitness.com/whois/query/google.com"

 

Can anyone confirm if the whois service is actually working for them?

0 Likes
15 REPLIES 15

david_waugh
Beginner
Beginner

‎2018-11-02 04:06 AM

It still seems down.....

0 Likes

EdwardDarnell
Beginner
Beginner

‎2018-11-02 08:25 AM

We have had issues with the WHOIS service being up and down since early October and submitted a ticket Oct 11th about same issue. No resolution really ever came out of it for the issue. 

 

Service always seemed to be up more than down, this one seems prolonged.

david_waugh
Beginner
Beginner
In response to EdwardDarnell

‎2018-11-02 09:32 AM

Agreed. I opened a ticket previously and was told that this would be monitored.

 

This was the response I got in ticket 01181735 on 14th June 2018

 

"The Whois service experienced issues during that time frame. Due to malfunction of the monitoring system, the issue has not been identified immediately. The SaaS team addressed the issue with Whois service, and then made sure the monitoring system monitors the service properly."

 

These things happen, but being down for over 24 hours without anyone doing anything is a little troubling. It is also a design flaw that I have previously highlighted, that if the WhoIS service is down the ESA should not get increasingly behind in sessions until it eventually stops.

 

Anyone from RSA care to comment?

david_waugh
Beginner
Beginner

‎2018-11-02 11:41 AM

Just had the first confirmation from RSA Support that the WhoIs service is down.

0 Likes

david_waugh
Beginner
Beginner

‎2018-11-02 12:00 PM

Its back!!!

someone
Contributor
Contributor

‎2018-11-05 04:38 AM

I feel sorry for you that you have been trying to get answers. I've noticed , every time you've faced issues with the Whois service and asking for feedback, then it becomes clear that this is not monitored by RSA and that the phone is dead on the other end.

 

I would understand RSA's argument that this is a free service but if it's not reliable then it can only be used in a lab.

 

To PMs: In security, there is a big difference when it comes to software, you cannot use untested/unreliable/not-monitored/toy software for conducting security operations. Scoring high on Gartner is not enough to sell if customers can't trust the software and the people supporting it.

david_waugh
Beginner
Beginner
In response to someone

‎2018-11-05 04:43 AM

Not only is the fact that it is not sufficiently monitored that is disappointing, it is the fact that when it is down, the ESA seems to wait until it gets a response. This causes a backlog of sessions and the ESA  quickly get behind by many millions of sessions. This then takes many hours for it to catch back up.

 

The ESA is a critical part of the solution as it generated alerts on suspicious activity.

 

I want to know that I can rely on the ATD service. How long is it acceptable for it to be down? 1 hour, 2 hours? 24 hours?

someone
Contributor
Contributor
In response to david_waugh

‎2018-11-05 05:01 AM

The fact that ESA is stopping when Whois goes down is a bug. If RSA don't want to admit and fix this and as a workaround suggest you to stop using the Whois service then they are worthy or their fate.

 

Monitoring a free service that an expensive paid service is depending on(not to mention that is crucial for security operations), should be a given and not having to cry for help on a forum or raise a RFE or other silly things like that.

david_waugh
Beginner
Beginner

‎2018-11-19 04:29 AM

Its down again. Last successful check was 04:13 on Saturday 17th November UTC

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.