3 Replies Latest reply on Sep 27, 2012 9:39 AM by asabban

    Blocking hostsnames

      Hi

      I have to block hosts which don't have a static ip adress. I already tried to block them according the advice from article https://community.mcafee.com/message/187618#187618 but without sucess.

      I used the rule provided there just replaced the hostname and changed the action.

      According the rule tracing it looks to me that the issue must somehow releate to the "Missing Op" in the log but I have no clue how to solve it.

       

      Could somebody give me a hint.

       

      Thanks a lot

       

      Best regards

       

      Daniel

       

      Ruleset:

      hostname_block2.png

       

       

      TracingLog:

       

      - <node id="19848"string="Reverse Lookup IP to Host name" duration="0"enterTime="1348576655.567" node_type="rule">

      - <node string="com.scur.engine.system.dns.reverselookupcontains List(Name: Client Hostnames Wildcards to block, Type:RegexList) MISSING OP com.scur.engine.stringfilter.regexlist.tostring"duration="0" enterTime="1348576655.567"node_type="condition">

      <nodestring="Result: false" node_type="result"/>

      - <node string="com.scur.engine.system.dns.reverselookupcontains List(Name: Client Hostnames Wildcards to block, Type:RegexList) MISSING OP com.scur.engine.stringfilter.regexlist.tostring"duration="0" enterTime="1348576655.567"node_type="condition">

      <nodestring="Result: false" node_type="result"/>

      - <node type="StringList"value="" string="com.scur.engine.system.dns.reverselookup"duration="0" enterTime="1348576655.567"node_type="property">

      - <node node_type="parameter_list">

      <nodetype="IP" value="10.0.0.10" string="com.scur.engine.system.client.ip"duration="0" enterTime="1348576655.567"node_type="property" />

      </node>

      - <!--

      parameter

      -->

      </node>

      - <!--

      property

      -->

      <listname="Client Hostnames Wildcards to block" type="RegexList"/>

      - <node type="String"value="" string="com.scur.engine.stringfilter.regexlist.tostring"duration="0" enterTime="1348576655.567"node_type="property">

      <node node_type="parameter_list" />

      - <!--

      parameter

      -->

      </node>

      - <!--

      property

      -->

      - <info name="Properties">

      <node type="StringList"value="" string="com.scur.engine.system.dns.reverselookup"duration="0" enterTime="1348576655.567"node_type="property" />

      <nodetype="IP" value="10.0.0.10" string="com.scur.engine.system.client.ip"duration="0" enterTime="1348576655.567"node_type="property" />

      <nodetype="String" value="" string="com.scur.engine.stringfilter.regexlist.tostring"duration="0" enterTime="1348576655.567"node_type="property" />

      </info>

      </node>

      - <!--

      condition

      -->

      - <info name="Properties">

      <nodetype="StringList" value="" string="com.scur.engine.system.dns.reverselookup"duration="0" enterTime="1348576655.567"node_type="property" />

      <nodetype="IP" value="10.0.0.10" string="com.scur.engine.system.client.ip"duration="0" enterTime="1348576655.567"node_type="property" />

      <nodetype="String" value="" string="com.scur.engine.stringfilter.regexlist.tostring"duration="0" enterTime="1348576655.567"node_type="property" />

      </info>

      </node>

      - <!--

      condition

      -->

      </node>

      - <!--

      rule'Reverse Lookup IP to Host name'

        • 1. Re: Blocking hostsnames
          asabban

          Hello,

           

          I believe the problem is that the DNS Lookup does not work. If you look at the value of the DNS.ReverseLookup Property in the trace you can see:

           

          <node type="StringList" value="" string="com.scur.engine.system.dns.reverselookup"duration="0" enterTime="1348576655.567"node_type="property" />

           

          The value is "", which means it is empty. A filled property looks like this:

           

          <nodetype="IP" value="10.0.0.10" string="com.scur.engine.system.client.ip"duration="0" enterTime="1348576655.567"node_type="property" />

           

          Because the result of the DNS lookup is empty MWG has nothing to compare, which would explain the "missing op" message. I would re-create the rule set and try a different approach:

           

          - Have a first rule which is always called and which calls the reverse dns lookup and writes the response into a user-defined property

          - create a second rule that calls "stop rule set" in case the property is empty after the dns lookup. This will ensure you are not working with empty values (which is not good :-)

          - create a third rule that compares your user-defined property (if fille) with your list, and call the block action if required

           

          You will still not block now, but you have a proper "error handling" for the empty dns lookup response. Now create a tcpdump on udp port 53 and check if MWG sends out the reverse DNS lookup as expected and if there is a valid response coming back from the DNS. I believe the issue could be there somewhere.

           

          Best,

          Andre

          1 of 1 people found this helpful
          • 2. Re: Blocking hostsnames

            Hi

            Thanks a lot for the answer

            We've tried to create the rules, without success. Would you mind giving us an example of a ruleset

             

            Thanks a lot

            Daniel

            • 3. Re: Blocking hostsnames
              asabban

              Hi Daniel,

               

              I don´t have an example at hand right now. Which step failed? Did you have problems creating the rule set or did you create the rule set but the block still failed?

               

              If you had problems with the rule set please let me know where exactly the difficulties are. If the rule set is created but the lookup still does not work, please let me know if you were able to have a look at the DNS lookup MWG performs, and what you saw.

               

              Best,

              Andre