Whitelisting not working?

[srondeauuwt]

I have DNS services that cause "excessive no such domain (suspicious)" events. I would like to ignore them, so I added the comma-delimtied DNS's IP addresses to the USER_WHITELIST, and restarted sensor.py and server.py, but the events still are captured.

Are the USER_WHITELIST values being respected?

[stamparm]

Can you please make sure that you run the latest revision and there have been some fixes lately regarding this? Also, can you please give a specific details (what is the content of USER_WHITELIST? and which domains are in question)?

[srondeauuwt]

Tried v0.9.216 with my configuration changes to the new maltrail.conf (here is USER_WHITELIST only):

USER_WHITELIST 127.0.0.1,127.0.0.2,128.95.120.1,128.95.112.1

Also tried it with:

USER_WHITELIST 127.0.0.1,127.0.0.2

The server fails after logging in with this message:

TypeError: t is null Script: http://128.208.250.159:8338/js/papaparse.min.js?papaworker Line: 6

[stamparm]

Something is wrong with the logged data. USER_WHITELIST is used by the sensor and not by the web client (papaparse). Can you please send me the problematic logged data (for problematic date) which cause web client to crash with that message?

To see if USER_WHITELIST works you could try to grep the logged for today (/var/log/maltrail/2016-02-13.log) for those IP addresses

[srondeauuwt]

Here is the logged data (stopped server.py and all sensor.py, removed 2016-02-13.log and started server.py and remote sensor.py -- all on same release level):

"2016-02-13 18:55:25.872549" cssgate.insttech.washington.edu 128.208.244.213 - 136.161.101.53 - ICMP IP 136.161.101.53 "sinkhole conficker (malware)" (static) "2016-02-13 18:55:33.351032" cssgate.insttech.washington.edu 175.6.228.149 34513 128.208.244.213 1433 TCP IP 175.6.228.149 "bad reputation" "alienvault.com (+binarydefense.com,packetmail.net,turris.cz)" "2016-02-13 18:55:48.237966" cssgate.insttech.washington.edu 128.95.120.1 53 128.208.244.213 42623 UDP DNS (web3.insttech.insttech,web3.insttech,intkau1b.insttech.insttech).washington.edu "excessive no such domain (suspicious)" (heuristic)

[stamparm]

1) My web browser's client instance is not crashing with this data. I believe that yours shouldn't too 2) You can whitelist the trail of the problem, not the src_ip or dst_ip. In your cases, if you are bothered with the "excessive no such domain" you can whitelist the washington.edu or in more specific way insttech.washington.edu because those are the parts of the bothersome threat/trail(s)

[srondeauuwt]

1) My web browser's client instance is not crashing with this data. I believe that your shouldn't too

But it does crash, despite your belief.

It wasn't the data. Rather, I had copied my changes into maltrail.conf. It appears that the Users section was where the problem was -- I eliminated everything else. I had changed the password for admin. I also deleted " changeme!" (note leading space) after the final comment character in the same line as admin, and that is what causes this error:

TypeError: t is null Script: http://128.208.250.159:8338/js/papaparse.min.js?papaworker Line: 6

However, if you leave a space after that last "#", it works without error.

2) You can whitelist the trail of the problem

I'm not sure how to do this. I tried adding "washington.edu" to misc/whitelist.txt on both server and sensor, but nothing is changed on the output after a refresh, and the "excessive no such domain" events are still shown.

[stamparm]

Item 1) should be fixed now. Thank you for debugging

As of 2), if you whitelist something (e.g. washington.edu) it should not generate any more events. This doesn't mean that previous events will disappear

[srondeauuwt]

As of 2), if you whitelist something (e.g. washington.edu) it should not generate any more events. This doesn't mean that previous events will disappear

Yes, eventually the whitelisted domain did not generate any more events -- thank you!

I still don't know how to get USER_WHITELISTS to work, however. But it isn't that important, so I will close this ticket.