dns requests logs

[jeanlk15]

in syslog i see a list of dns requests, i think something is slipping through, i see no alert for what i suspect

I was looking for your parsed files which are referenced like /etc/dnsmasq.block for domain names

for IPs ? which file shall i look for ?

I want to double check an IP and or/domain, I suspect is malware but falcongate not picking it up ..

i guess i am curious if the malicious IP and domain name might be in these files somewhere...

[A3sal0n]

The dns entries in syslog are logged by dnsmasq. Dnsmasq have configured dnscrypt-proxy as upstream dns server so all the dns always traffic leaves the network encrypted.

We currently don't block traffic to the IP addresses in our blacklist. There were many false positives in the past due to shared hosting environments. Essentially clean and infected websites were hosted behind the same blacklisted IP. We also don't save the list of malicious IP addresses to disk, we keep it in memory. You can download the latest IP blacklist with the command below:

curl -H 'x-api-key: [YOUR API KEY HERE]' https://intel.falcongate.cz/falcongate-blacklists/ip_blacklist

[jeanlk15]

So correct me if I am wrong, in config.ini can I also add my own "extra" categories below your Tor, Malware etc.. under [blacklists_ip] or [blacklists_domain] ?

[blacklists_ip] lines missing MyOwnExtraLine1 = <will block and alert ? >

[blacklists_domain] <> MyOwnExtraLine2 = <will block without alert? >

Do then [blacklists_ip] or [blacklists_domain] do they block and alert ? ( or just block )

correct me if i am wrong also...in config.ini ...you have these -- do they just alert? no blocking ? fg_api_intel_url = https://intel.falcongate.cz/ <will alert only , no blocking?> fg_api_alert_url = https://comms.falcongate.cz/new-alert <will alert only , no blocking?> fg_api_malware_url = https://malware.falcongate.cz/ <will alert only , no blocking?> vt_api_domain_url = https://www.virustotal.com/vtapi/v2/domain/report <will alert only , no blocking?> vt_api_ip_url = http://www.virustotal.com/vtapi/v2/ip-address/report <will alert only , no blocking?> vt_api_file_url = https://www.virustotal.com/vtapi/v2/file/report <will alert only , no blocking?> hibp_api_url = https://haveibeenpwned.com/api/v2/breachedaccount/ <will alert only , no blocking?>

Is it possible I can add a custom "alert" only lists for domains and IP addresses ?

[A3sal0n]

You can add your own threat intel feeds/urls under [blacklists_ip] or [blacklists_domain] in the file config.ini. Falcongate should block only the domains extracted from the new sources but it will alert for both IP addresses and domains.

The last urls mentioned in your post are internal configuration parameters for Falcongate. The first 3 are our API endpoints and the last 4 are used to access the VirusTotal API and haveibeenpwned services.

[jeanlk15]

please see my questions in <> brackets i am still unsure about what each line will really do still. not 100% sure.

[A3sal0n]

[blacklists_ip] lines missing MyOwnExtraLine1 = <will block and alert ? > [This won't be blocked but you will be alerted]

[blacklists_domain] <> MyOwnExtraLine2 = <will block without alert? > [This will be both blocked and alerted]

Do then [blacklists_ip] or [blacklists_domain] do they block and alert ? ( or just block )

correct me if i am wrong also...in config.ini ...you have these -- do they just alert? no blocking ? fg_api_intel_url = https://intel.falcongate.cz/ <will alert only , no blocking?> [This is Falcongate's API url. This is the source of the blacklists.] fg_api_alert_url = https://comms.falcongate.cz/new-alert <will alert only , no blocking?> [This is Falcongate's API which users can use to report issues with the platform.] fg_api_malware_url = https://malware.falcongate.cz/ <will alert only , no blocking?> [This is Falcongate's API which is used for cloud malware analysis if you enable this option.] vt_api_domain_url = https://www.virustotal.com/vtapi/v2/domain/report <will alert only , no blocking?> [This is VirusTotal API. If something is identified based on VT it will be just alerted.] vt_api_ip_url = http://www.virustotal.com/vtapi/v2/ip-address/report <will alert only , no blocking?> [This is VirusTotal API. If something is identified based on VT it will be just alerted.] vt_api_file_url = https://www.virustotal.com/vtapi/v2/file/report <will alert only , no blocking?> [This is VirusTotal API. If something is identified based on VT it will be just alerted.] hibp_api_url = https://haveibeenpwned.com/api/v2/breachedaccount/ <will alert only , no blocking? [This is haveibeenpwned API which allows monitoring if a user email account was compromised in the past.]

[jeanlk15]

that helped a lot thanks