This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Is there a way to force the Whois lookup to occur?

Anonymous
Not applicable

‎2016-09-27 09:09 AM

I've had the Whois lookup service configured now for over a week and have yet to see it perform an actual lookup for Automated Threat Detection (CnC traffic).  I've put gone through all the troubleshooting steps found here; https://community.rsa.com/docs/DOC-54601 but I don't see any of the counters moving in the ESA Explorer View. The proxy is configured, the warm up period has long been over, I have a whitelist setup, and so on.  

 

Whois Service in Explorer View

Whois.PNG

 

Automated Threat Detection ESA Configurations

ESAConfig.PNG

 

C2 Aggreate Rule is Enabled

C2.PNG

 

 

Does anyone have any ideas?  I forgot to add that Live is configured and working.

 

 

0 Likes
5 REPLIES 5

MihaMesojedec
Employee
Employee

‎2016-09-27 11:22 AM

You are using https, so have you enable InsecureConnection to true, so that ssl verify is ignored?

Have you verify if ESA can communicate to Whois URL listed above?

 

Thanks,

Miha

0 Likes

MihaMesojedec
Employee
Employee

‎2016-09-27 11:26 AM

You can also use attached script to test if Whois lookup from your ESA is working.

whois-info.txt.zip
3 KB

Anonymous
Not applicable
In response to MihaMesojedec

‎2016-09-27 12:42 PM

Miha, thanks for the info.  I had the insecureConnection setting set to false because of the note found here: Alerting: Configure Automated Threat Detection 

 

insecureConnection:

Optional:  Set this parameter to true to allow the HTTP request to the RSA Whois Service ignore SSL certs.  

Note: If the RSA Whois Service is accessed via a proxy, this parameter should be set to true.  

The default value is false.

(Requires an ESA restart to take effect.)

We are using a proxy, but I'll try it with insecureConnection set to false.

The script is great for testing.  Thank you for providing this!

./cloud-whois.sh emc.com
Authenticate:
curl -sk -H "Content-Type: application/json" -X POST -d "{"X-Auth-Username":"*******","X-Auth-Password":"******"}" "https://cms.netwitness.com/authlive/authenticate/WHOIS" -D /tmp/resp_headers.2fVrJU -o /dev/null
X-Auth-Token is empty.
Query: /usr/bin/curl -sk -H "Content-Type: application/json" -H "" "https://cms.netwitness.com/whois/query/emc.com" | tr -d '\r' | python -m json.tool
Skipping query because no X-Auth-Token.

So it appears I'm missing the X-Auth-Token.  I thought this was generated once I pass my username and password to https://cms.netwitness.com/authlive/authenticate/WHOIS   ?

0 Likes

Anonymous
Not applicable
In response to MihaMesojedec

‎2016-09-29 08:24 AM

I'm now seeing the stats move, but they're all for failed authentication when performing the whois lookup. Failed Auth = 7, Service Auth Failed = 7......  My live credential are good but I'm still missing an X-Auth-Token from what I can tell when running the script from command line.

 

pastedImage_2.png

 

pastedImage_1.png

0 Likes

MihaMesojedec
Employee
Employee

‎2016-09-29 08:49 AM

You need to export proxy variable before using script in shell.

 

export http_proxy=http://server-ip:port/

export https_proxy=https://server-ip:port/

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.