This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Is the RSA Whois Service Down at The Moment. My ESA Stopped aggregating?

david_waugh
Beginner
Beginner

‎2018-06-07 03:49 AM

Hello

 

THe normal test alert that fires every morning did not happen today, and looking at the ESA log I am seeing

 

2018-06-06 07:20:55,309 [Carlos@3884f95a-85(onRequest(GetAlertsRequest))(328779)] INFO com.rsa.netwitness.core.api.alert.MongoAlertManager - 1 rows returned by query [Query: { "$and" : [ { "time" : { "$gte" : { "$date" : "2018-06-05T07:21:00.000Z"} , "$lte" : { "$date" : "2018-06-06T07:20:59.999Z"}}} , { "module_id" : "56fe8fe8f144d3ab2660e689"} , { "severity" : { "$in" : [ 3]}}]}, Fields: null, Sort: { "time" : -1}]
2018-06-06 07:20:57,262 [Carlos@5ed098d8-80(onRequest(GetAlertRequest))(328779)] INFO com.rsa.netwitness.core.api.alert.MongoAlertManager - 1 rows returned by query [{ "_id" : "924b3b65-4414-4d53-831c-47cb7f79d4ac"}]
2018-06-06 07:21:26,790 [pool-6-thread-4] INFO com.rsa.netwitness.common.whois.WhoisClient - whois request failed for domain "zuko.io" with status 504: <html><head><title>504 Gateway Time-out</title></head><body bgcolor="white"><center><h1>504 Gateway Time-out</h1></center><hr><center>nginx</center></body></html>

 

After I disabled the C&C Model then aggregation on the ESA Started again.

0 Likes
10 REPLIES 10

david_waugh
Beginner
Beginner

‎2018-08-28 04:43 PM

Hi are there problems with the WhoIS service?

My ESA Stopped aggregating again.

 

Testing without going through a proxy shows no response using the cloud-whois.sh script

 

 

$ ./cloud-whois-v2.sh google.com


Using existing X-Auth-Token from ~/.cloud-whois.


Query: /usr/bin/curl -sk -H "Content-Type: application/json" -H "x-auth-token: eyJpc3MiOiJMSVZFX0FVVEhFTlRJQ0FUSU9OIiwic3ViIjoiV0hPSVMiLCJhdWQiOnsiTGl2ZS1Vc2VybmFtZSI6ImJhbmtvZmVuZ2xhbmRsaXZlQGJhbmtvZmVuZ2xhbmQuY28udWsifSwiZXhwIjoxNTM1NDkxODkyMTcyLCJhbGciOiJIbWFjU0hBMjU2In0=.mrvRvmYquDuKZzIo4vKMY1knKrLYVJ0vIEvKqSEGRWs=" "https://cms.netwitness.com/whois/query/google.com" | tr -d '\r' | python -m json.tool
* STATE: INIT => CONNECT handle 0x800485e0; line 1404 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => WAITRESOLVE handle 0x800485e0; line 1440 (connection #0)
* Trying 52.224.176.196...
* TCP_NODELAY set
* STATE: WAITRESOLVE => WAITCONNECT handle 0x800485e0; line 1521 (connection #0)
* Connected to cms.netwitness.com (52.224.176.196) port 443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x800485e0; line 1573 (connection #0)
* Marked for [keep alive]: HTTP default
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* ignoring certificate verify locations due to disabled peer verification
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x800485e0; line 1587 (connection #0)
{ [5 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [100 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [5041 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [589 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: OU=Domain Control Validated; CN=cms.netwitness.com
* start date: Mar 16 20:26:00 2018 GMT
* expire date: Mar 16 20:26:00 2019 GMT
* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* STATE: PROTOCONNECT => DO handle 0x800485e0; line 1608 (connection #0)
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x800485e0)
} [5 bytes data]
> GET /whois/query/google.com HTTP/2
> Host: cms.netwitness.com
> User-Agent: curl/7.56.1
> Accept: */*
> Content-Type: application/json
> x-auth-token: eyJpc3MiOiJMSVZFX0FVVEhFTlRJQ0FUSU9OIiwic3ViIjoiV0hPSVMiLCJhdWQiOnsiTGl2ZS1Vc2VybmFtZSI6ImJhbmtvZmVuZ2xhbmRsaXZlQGJhbmtvZmVuZ2xhbmQuY28udWsifSwiZXhwIjoxNTM1NDkxODkyMTcyLCJhbGciOiJIbWFjU0hBMjU2In0=.mrvRvmYquDuKZzIo4vKMY1knKrLYVJ0vIEvKqSEGRWs=
>
* STATE: DO => DO_DONE handle 0x800485e0; line 1670 (connection #0)
* multi changed, check CONNECT_PEND queue!
* STATE: DO_DONE => WAITPERFORM handle 0x800485e0; line 1795 (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x800485e0; line 1811 (connection #0)
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 200)!
} [5 bytes data]
* multi changed, check CONNECT_PEND queue!
{ [5 bytes data]

 

And at this point the connection times out...

 

In fact I get a service unavailable message.

 

$ /usr/bin/curl -sk -H "Content-Type: application/json" -H "x-auth-token: eyJpc3MiOiJMSVZFX0FVVEhFTlRJQ0FUSU9OIiwic3ViIjoiV0hPSVMiLCJhdWQiOnsiTGl2ZS1Vc2VybmFtZSI6ImJhbmtvZmVuZ2xhbmRsaXZlQGJhbmtvZmVuZ2xhbmQuY28udWsifSwiZXhwIjoxNTM1NDkxODkyMTcyLCJhbGciOiJIbWFjU0hBMjU2In0=.mrvRvmYquDuKZzIo4vKMY1knKrLYVJ0vIEvKqSEGRWs=" "https://cms.netwitness.com/whois/query/google.com" -vvv
* STATE: INIT => CONNECT handle 0x800485e0; line 1404 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => WAITRESOLVE handle 0x800485e0; line 1440 (connection #0)
* Trying 52.224.176.196...
* TCP_NODELAY set
* STATE: WAITRESOLVE => WAITCONNECT handle 0x800485e0; line 1521 (connection #0)
* Connected to cms.netwitness.com (52.224.176.196) port 443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x800485e0; line 1573 (connection #0)
* Marked for [keep alive]: HTTP default
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* ignoring certificate verify locations due to disabled peer verification
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x800485e0; line 1587 (connection #0)
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: OU=Domain Control Validated; CN=cms.netwitness.com
* start date: Mar 16 20:26:00 2018 GMT
* expire date: Mar 16 20:26:00 2019 GMT
* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* STATE: PROTOCONNECT => DO handle 0x800485e0; line 1608 (connection #0)
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x800485e0)
> GET /whois/query/google.com HTTP/2
> Host: cms.netwitness.com
> User-Agent: curl/7.56.1
> Accept: */*
> Content-Type: application/json
> x-auth-token: eyJpc3MiOiJMSVZFX0FVVEhFTlRJQ0FUSU9OIiwic3ViIjoiV0hPSVMiLCJhdWQiOnsiTGl2ZS1Vc2VybmFtZSI6ImJhbmtvZmVuZ2xhbmRsaXZlQGJhbmtvZmVuZ2xhbmQuY28udWsifSwiZXhwIjoxNTM1NDkxODkyMTcyLCJhbGciOiJIbWFjU0hBMjU2In0=.mrvRvmYquDuKZzIo4vKMY1knKrLYVJ0vIEvKqSEGRWs=
>
* STATE: DO => DO_DONE handle 0x800485e0; line 1670 (connection #0)
* multi changed, check CONNECT_PEND queue!
* STATE: DO_DONE => WAITPERFORM handle 0x800485e0; line 1795 (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x800485e0; line 1811 (connection #0)
* Connection state changed (MAX_CONCURRENT_STREAMS == 200)!
* multi changed, check CONNECT_PEND queue!
* HTTP/2 found, allow multiplexing
< HTTP/2 500
< content-type: text/html
< date: Tue, 28 Aug 2018 20:45:03 GMT
< content-length: 511
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<title>Service Unavailable</title>
<style type="text/css">
body, p, h1 {
font-family: Verdana, Arial, Helvetica, sans-serif;
}
h2 {
font-family: Arial, Helvetica, sans-serif;
color: #b10b29;
}
</style>
</head>
<body>
<h2>Service Unavailable</h2>
<p>The service is temporarily unavailable. Please try again later.</p>
</body>
</html>
* nread <= 0, server closed connection, bailing
* STATE: PERFORM => DONE handle 0x800485e0; line 1980 (connection #0)
* multi_done
* Connection #0 to host cms.netwitness.com left intact

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.