search

Homas / ioc2rpz

ioc2rpz is a place where threat intelligence meets DNS.
Apache License 2.0
105 stars 17 forks source link

TSIG key issue #45

Closed dmgeurts closed 1 year ago

dmgeurts commented 1 year ago

ioc2rpz logs that the zone transfer went fine. However, the client throws errors.

Server logs:

Oct 21 00:56:40 rpz2 c7735b7e2425[957]: ioc2rpz tcp6_sup child started
Oct 21 00:56:40 rpz2 c7735b7e2425[957]: CEF:0|ioc2rpz|ioc2rpz|1.1.2.3-2020123101|000202|DNS Query|3|src=10.0.0.9 spt=34613 proto=tcp qname="malware-bl.ioc2rpz" qtype="AXFR" qclass="IN" tsigkey="tkey_12345."
Oct 21 00:56:40 rpz2 c7735b7e2425[957]: Found Key ... Good timestamp ... Valid MAC
Oct 21 00:56:40 rpz2 c7735b7e2425[957]: CEF:0|ioc2rpz|ioc2rpz|1.1.2.3-2020123101|000201|RPZ transfer success|3|src=10.0.0.9 spt=34613 proto=tcp qname="malware-bl.ioc2rpz" qtype="AXFR" qclass="IN"  tsigkey="tkey_12345." transfer_time=0

However the client complains:

Oct 21 00:34:29 host.domain.com pdns-recursor[147843]: Packet (malware-bl.ioc2rpz|#251) has a TSIG record in an invalid position.

And when using dig:

user@host:~$ dig +tcp @10.0.0.5 -y hmac-sha256:tkey_12345:******= malware-bl.ioc2rpz AXFR | tail -n 8
malware-bl.ioc2rpz. 604800  IN      SOA     rpz.domain.com. me.domain.com. 1666304940 86400 3600 2592000 7200
tkey_12345.             0       ANY     TSIG    hmac-sha256. 1666306180 300 32 ****= 8958 NOERROR 0
;; Query time: 0 msec
;; SERVER: 10.0.0.5#53(10.0.0.5) (TCP)
;; WHEN: Fri Oct 21 00:49:40 CEST 2022
;; XFR size: 3 records (messages 1, bytes 299)
;; WARNING -- Some TSIG could not be validated

I have other zones using the exact same TSIG key just fine, same ioc2rpz server and same clients (2 clients both complaining of the same issue)

Homas commented 1 year ago

When did you deploy it? Did you use main or dev branch?

dmgeurts commented 1 year ago

dev branch, and I think I've found the issue. We restrict the domains servers can connect to. So the new source hadn't been added to the firewall rules yet. Dumb ass user error.

dmgeurts commented 1 year ago

But then I'm now struggling to get the format of the regex right for the following feed: https://urlhaus.abuse.ch/downloads/rpz/

What I initially had was: ^([A-Za-z0-9\._\-]+[A-Za-z])\ CNAME\ \.\ ;\ (Malware\ download|Test\ entry).*$

dmgeurts commented 1 year ago

How does one debug the ioc2rpz process? It would be great to be able to query the sources in ioc2rpz.gui.

Homas commented 1 year ago

But then I'm now struggling to get the format of the regex right for the following feed:

It's Erlang's regex (https://www.erlang.org/doc/man/re.html) + you may need to escape the backslash it if you enter it in the GUI. I'm using this regex (for urlhaus) ^([A-Za-z0-9\.]+) CNAME on the community website.

How does one debug the ioc2rpz process? It would be great to be able to query the sources in ioc2rpz.gui.

The easies way to start erl shell with rebar3 shell command. It will "compile" sources and start the service with provided configuration and in CLI you will be able to take a look on data in the ets tables (e.g. sources). Other option to connect to a running node via CLI (erl). Feeds data also available via API /api/[:api_ver]/feed/:rpz