NetWitness Community

david_waugh · ‎2018-06-07

Hello

THe normal test alert that fires every morning did not happen today, and looking at the ESA log I am seeing

2018-06-06 07:20:55,309 [Carlos@3884f95a-85(onRequest(GetAlertsRequest))(328779)] INFO com.rsa.netwitness.core.api.alert.MongoAlertManager - 1 rows returned by query [Query: { "$and" : [ { "time" : { "$gte" : { "$date" : "2018-06-05T07:21:00.000Z"} , "$lte" : { "$date" : "2018-06-06T07:20:59.999Z"}}} , { "module_id" : "56fe8fe8f144d3ab2660e689"} , { "severity" : { "$in" : [ 3]}}]}, Fields: null, Sort: { "time" : -1}]
2018-06-06 07:20:57,262 [Carlos@5ed098d8-80(onRequest(GetAlertRequest))(328779)] INFO com.rsa.netwitness.core.api.alert.MongoAlertManager - 1 rows returned by query [{ "_id" : "924b3b65-4414-4d53-831c-47cb7f79d4ac"}]
2018-06-06 07:21:26,790 [pool-6-thread-4] INFO com.rsa.netwitness.common.whois.WhoisClient - whois request failed for domain "zuko.io" with status 504: <html><head><title>504 Gateway Time-out</title></head><body bgcolor="white"><center><h1>504 Gateway Time-out</h1></center><hr><center>nginx</center></body></html>

After I disabled the C&C Model then aggregation on the ESA Started again.

david_waugh · ‎2018-06-07

It looks like the whois server is not returning any JSON back.

david_waugh · ‎2018-06-08

Hi I still think this is down. Can anyone confirm that it is working for them?

david_waugh · ‎2018-06-08

hi this is still broke. Even google.com returns no data.

david_waugh · ‎2018-06-11

And finally it is backup this morning......

Any communication regarding what happened or why RSA is not monitoring this?

{
"createdDate": "15-sep-1997",
"dataError": null,
"domainName": "google.com",
"estimatedDomainAge": 7574,
"expiresDate": "14-sep-2020",
"isCached": true,
"registrant": {
"registrantCity": "Mountain View",
"registrantCountry": "UNITED STATES",
"registrantEmail": "dns-admin@google.com",
"registrantName": "Dns Admin",
"registrantOrganization": "Google Inc.",
"registrantPostalCode": "94043",
"registrantState": "CA",
"registrantStreet1": "Please contact contact-admin@google.com, 1600 Amphitheatre Parkway",
"registrantTelephone": "16502530000"
},
"registrarName": "MARKMONITOR INC.",
"registryData": {
"createdDate": "15-sep-1997",
"expiresDate": "14-sep-2020",
"registrarName": "MARKMONITOR INC.",
"updatedDate": "20-jul-2011"
},
"source": "MONGO",
"updatedDate": "20-jul-2011"
}

david_waugh · ‎2018-08-10

I think there is a problem with the WhoIS service.

I'm unable to get an authentication token back from it.

JoshRandall · ‎2018-08-10

I'm able to get a token back. Are you still seeing this issue?

Mr. Mongo

david_waugh · ‎2018-08-12

Thanks Joshua.

No I'm not getting a token returned. I have tried at home where there is a direct internet connection without going through a proxy.

C:\Users\dell\Downloads\curl_761_0_ssl>curl -sk -H "Content-Type: application/json" -X POST -d "{"X-Auth-Username":"REDACTED","X-Auth-Password":"REDACTED"}" "https://cms.netwitness.com/authlive/authenticate/WHOIS" -D cookie.txt
{"tokenType":"WHOIS"}

C:\Users\dell\Downloads\curl_761_0_ssl>more cookie.txt
HTTP/1.1 200
Server: nginx
Date: Sun, 12 Aug 2018 08:53:17 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
X-Application-Context: cloud-authentication-service:8085

I can use the same account credentials to login to https://cms.netwitness.com

I've opened case 01216816 with support.

david_waugh · ‎2018-08-12

I used a slightly different command and it worked without a proxy:

C:\Users\dell\Downloads\curl_761_0_ssl>curl -k -d @auth.json -H "Content-Type: a
pplication/json" -X POST "https://cms.netwitness.com/authlive/authenticate/WHOIS
" -D cookie.txt -vvv
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 52.224.176.196...
* TCP_NODELAY set
* Connected to cms.netwitness.com (52.224.176.196) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES128-GCM-SHA256
* Server certificate:
* subject: OU=Domain Control Validated; CN=cms.netwitness.com
* start date: Mar 16 20:26:00 2018 GMT
* expire date: Mar 16 20:26:00 2019 GMT
* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.
godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
* SSL certificate verify result: self signed certificate in certificate chain (
19), continuing anyway.
> POST /authlive/authenticate/WHOIS HTTP/1.1
> Host: cms.netwitness.com
> User-Agent: curl/7.61.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 94
>
* upload completely sent off: 94 out of 94 bytes
< HTTP/1.1 200
< Server: nginx
< Date: Sun, 12 Aug 2018 09:55:51 GMT
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< X-Auth-Token: eyREDACTEDDeMtY=
< X-Application-Context: cloud-authentication-service:8085
<
{"tokenType":"WHOIS"}* Connection #0 to host cms.netwitness.com left intact

C:\Users\dell\Downloads\curl_761_0_ssl>

I put the authentication information in a JSON file called auth.json with the following contents

{"X-Auth-Username":"REDACTED","X-Auth-Password":"REDACTED"}

Im going to try again tomorrow through our proxy and see what happens...

david_waugh · ‎2018-08-13

Hi it looks like it is a proxy problem on our side. The cms.netwitness.com website recently moved and I think the certificate on the website changed. It is now signed by

* Server certificate:

* subject: OU=Domain Control Validated; CN=cms.netwitness.com

* start date: Mar 16 20:26:00 2018 GMT

* expire date: Mar 16 20:26:00 2019 GMT

* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.

godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2

I don't think our proxies had this CA certificate

NetWitness Community

Is the RSA Whois Service Down at The Moment. My ESA Stopped aggregating?