|
<< Click to Display Table of Contents >> Navigation: Event and Object Analysis > Capture Results Filtering > Filter Use Cases > Adding a Host Name to the Message Headers |
Reconstructed messages need to contain domain names of the sender and the recipient in addition to their IP addresses.
To achieve this, Microolap EtherSensor has to resolve domain names via DNS.
Perform the following steps:
1. In the EtherSensor Analyser service configuration, specify DNS servers to use for the name resolution.
2. Create a message filter with a rule action to resolve host names via DNS for the message currently being processed.
1. In the EtherSensor Analyser service configuration, specify DNS server settings for the name resolution.
You can do this in the configuration tool or the configuration file.
In the EtherSensor Analyser service configuration file:
<AnalyserConfig> root tag, then <Filter> nested tag for filter settings (turning on the message filter), then the <DNS> nested tag with DNS server settings to resolve the names in the message filter.
In the EtherSensor Analyser service configuration file:
The <AnalyserConfig> root tag, then the <Filter> nested tag for filter settings (turning on the message filter), then the <DNS> nested tag with DNS server settings to resolve the names in the message filter.
<?xml version="1.0" encoding="utf-8"?>
<AnalyserConfig version="3.2">
<!-- specify other settings for the service here -->
<Filter enabled="true" filename="msg_filter.xml">
<!-- specify other filter settings here -->
<Dns>
<AttemptsCount>3</AttemptsCount>
<TtlForUnknown>3600</TtlForUnknown>
<MinTtl>300</MinTtl>
<MaxTtl>604800</MaxTtl>
<Server ipaddress="127.0.0.1" port="53" />
</Dns>
</Filter>
</AnalyserConfig>
Here we assume that the DNS server's IP address is 127.0.0.1:53.
2. Setting up the message filter
For example, msg_filter.xml file:
<?xml version="1.0" encoding="utf-8"?>
<filter name="DNS resolve" version="1.0">
<table name="main">
<rule enabled="true">
<comment>
Resolve the sender and the recipient host names
for the message.
</comment>
<action name="dns" address="both"/>
</rule>
<rule enabled="true">
<comment>
Accept all message that reached this point.
</comment>
<action name="accept" />
</rule>
</table>
</filter>
1. When the DNS action is completed, X-Sensor-Src-Host and X-Sensor-Dst-Host headers are added to the message metadata. They contain domain names or "<not resolved>", if the system failed to obtain a domain name.
2. For faster DNS name resolution, it is recommended to specify the fastest DNS servers in the EtherSensor Analyser service configuration. These may be your ISP servers or your own DNS servers.
3. The DNS action (DNS name resolution) is a lengthy operation. For this reason, make sure you run it in the filter only for the messages that really require this.
4. Try to run the DNS action at the end of the filter exactly where its results are required.
For example, if you need the host addresses of the sender and the recipient in the output message to contain domain names, run the DNS action right before the end of message filtering and the ACCEPT action. There is no need to do it at the beginning of the filter because the DROP action may reject some messages. The DNS action for such dropped messages (if it is located at the beginning of the filter) would create an unnecessary load on Microolap EtherSensor and the runtime environment.
If you want to use DNS names of the sender and the recipient further in the filter criteria to drop the messages based on their host names, then you need to resolve DNS names in the rule located directly before one that uses these DNS names.
If DNS names for IP addresses of the sender or the recipient do not resolve:
1. Make sure the DNS server is available directly from the sensor machine using ping (for example, ping <dns-server-ip-address>) and telnet (for example, telnet <dns-server-ip-address>).
2. Make sure the DNS server you use can resolve names for the sensor machine. To do that, you can use nslookup.
▪Run nslookup from the command prompt.
▪In the utility, run server <dns-server-ip-address> command to define the DNS server used to resolve names.
▪Enter the IP address for which you cannot resolve the name.
If nslookup resolves the host name then check your filter:
1. Make sure the rule that contains DNS action is enabled and its conditions match the messages.
2. Make sure the rule that contains DNS action actually runs, i.e. there is no rule before it that accepts the messages, so filtering doesn't reach this rule (in particular, make sure there are no rules with ACCEPT or DROP action before this rule).
3. Make sure that when Microolap EtherSensor is started, the EtherSensor Analyser service logs don't contain messages about incorrect filter loading or error messages.
If the problem persists, send the following items to the Microolap EtherSensor manufacturer:
▪Several sample messages for which name resolution fails.
▪The message filter you use.
▪The diagnostic report on Microolap EtherSensor work generated by ethersensor_console.exe tool from the Microolap EtherSensor software bundle.
▪Your comments and thoughts regarding the steps listed above.