1 Reply Latest reply on Dec 21, 2016 9:34 AM by Troja

    Thousands of DXL requests

    jacek

      I have very large peaks of DXL requests in dxl.log and on dashboard, which is not normal behavior in my network.

      There are peaks with 100 requests per second, with continuous duration for 30-40 minutes.

       

      How can I trace/debug which URL/filenames that are send for analyzing? In dxl.log there is only encrypted hash, which I don't know how to use:

      08:13:30.075: dxl_async_request callback for 76: ok

      {"props":{"atdCandidate":1,"serverTime":1482304409,"masterServer":"tie1;x"},"rep utations":[{"createDate":1461906176,"trustLevel":0,"providerId":3,"attributes":{ "2101652":"458","2112148":"99","2112404":"99","2112660":"99","2112916":"99","211 3172":"100","2113428":"100","2102165":"1444376066","2114965":"2","2111893":"768" ,"2139285":"72902018968060158"}},{"createDate":1461906176,"trustLevel":99,"provi derId":1,"attributes":{"2120340":"2141257856"}}]}

      08:13:30.189: dxl_async_request(/mcafee/service/tie/file/reputation,77): DERR_OK

      {"hashes":[{"value":"UNt1BSK5YwdX+RtT3zd/1O1OLWY=","type":"sha1"},{"value":"rjy2 xq+6mkqlyF9mAjw1M4ylebMDJt0CkY+dVSWVA9U=","type":"sha256"},{"value":"Nm/W86RRNRt d8tfE7PTHOg==","type":"md5"}]}

       

      08:13:30.194: dxl_async_request callback for 77: ok

      {"props":{"atdCandidate":1,"serverTime":1482304409,"masterServer":"tie1;x"},"rep utations":[{"createDate":1449562959,"trustLevel":0,"providerId":3,"attributes":{ "2101652":"465","2112148":"99","2112404":"99","2112660":"99","2112916":"50","211 3172":"100","2113428":"99","2102165":"1446525877","2114965":"3","2111893":"768", "2139285":"72902018968060158"}},{"createDate":1449562959,"trustLevel":99,"provid erId":1,"attributes":{"2120340":"2141257856"}}]}

       

      "Enable tracing for DXL" and "Write full message body" option in Troubleshooting tab are enabled.

       

      MWG version: 7.6.2.6

        • 1. Re: Thousands of DXL requests
          Troja

          Hi jacek,

          which ruleset are you using. In your MWG Policy you have to configure in detail when TIE should be queried. Also, you have to take care when TIE Information should be updated.

          You MUST check your ruleset, only executable files should be queried.

           

          Enclosed some hints, may they help you.

           

           

          • The whole ruleset:

           

          TIE_Query1.jpg

           

          Some more Details:

          TIE_Query2.jpg

          TIE_Query3.jpg

           

          Note: This ruleset is part of a more complex one, where ATD is also configured. Take care with the last rule, where clean files are reported to TIE.

           

          Have you taken a look into the TIE which files are queried by MWG??

          As you can see in the first screeshot, i write a log file for any TIE query. So i can check which file was queried. The log is used to improve the TIE ruleset.

           

           

          Hope this helps,

          Cheers