Trying to figure out how to enrich the data being ingested (Network Data) Zeek/Suricata. I would like to either show Hostname vice IP, or more preferably add another field for hostname based off the IP address.
Have a file with IP -> Hostnames (CSV) currently could be anything other format if required. Unable to get IP to Hostname with DNS or Active Directory or any other connected means.
I know in Splunk you could do lookup tables, but unsure how to accomplish the same in the ELK stack to view the results in Kibana.
You could do this in logstash using a translate filter, which requires a two-column CSV file (or YML, or JSON). You could try
translate {
source => "[fieldWithIP]"
dictionary_path => "/path/to/mapping.csv"
target => "[fieldForHostname]"
}
this would add a new field called [fieldForHostname] if the value of [fieldWithIP] is found in column 1 of the mapping.csv
What the subject says. I have an user who logs in using SSH through a provider that gives him a dynamic IP from a pool; all of their IPs map to static.hostingprovider.name, but that name doesn't resolve back to the same IP address.
SSH detects this and spits out the message "POSSIBLE BREAK-IN ATTEMPT", which triggers the failregex. I want to add an exception so that, if the connection attempt comes from static.hostingprovider.name, it ignores the warning. If I just add static.hostingprovider.name to the ignoreregex list, will it simply work?
In your jail.local file add this line:
ignoreip = static.hostingprovider.name
I know this might be a dummy question or a question that comes from lack of knowledge, but I hope someone can still answer it. I did try to read a lot of Postfix documentation but found no answer to this. I don't even know if it's a Postfix specific or mail servers general question.
So I have a mail server, just a clean Postfix install that delivers email.
I've defined my users and connected with IMAP and SMTP using Thunderbird.
When I went to Thunderbird account settings and disabled "place a copy", Postfix did not put a copy of the sent message in the user .Sent folder.
However, I've also connected my Gmail, Hotmail or Yahoo mail and disabled the "place a copy" and still have a copy in the sent items folder.
So in this case there are 2 options:
Something is wrong with my Postfix configuration
Gmail, Hotmail, Yahoo put a copy in their sent folder as a different process on the server side
Just for the record, having searched around for a how to, and not finding one, I am posting it here:
The only (easy) way I've found to save sent emails is the sender_bcc solution (with it's attendant faults):
I am using postfix / dovecot / sieve / mysql virtual boxes
In /etc/postfix/main.cf add:
sender_bcc_maps = mysql:/etc/postfix/mysql-virtual-bcc-maps.cf
Create file /etc/postfix/mysql-virtual-bcc-maps.cf:
user = (database user)
password = (database password)
hosts = 127.0.0.1
dbname = (database databasename)
query = SELECT CONCAT_WS('',LEFT('%s', LOCATE('#', '%s')-1),'+sent#',SUBSTRING('%s', LOCATE('#', '%s')+1)) AS destination FROM virtual_users WHERE email='%s' AND autosent=1
You'll note in my query, I've added a (tinyint default 0) column to my virtual_users table so I can turn on/off this automatic sent items feature per user. This query takes the sender email address that postfix gives it, splits it in half at the # sign, and adds +sent to the address so it looks like sender+sent#domain.tld. This allows sieve in the next step to pick it up and drop it straight to sent items.
In /etc/dovecot/sieve/default.sieve add:
require ["fileinto", "mailbox", "envelope", "subaddress","imap4flags"];
if envelope :detail "to" "sent" {
addflag "\\Seen";
fileinto :create "Sent";
stop;
}
Also helpful to modify /etc/dovecot/conf.d/15-mailboxes.conf and add the auto subscribe to sent (and junk and trash and others for that matter):
mailbox Sent {
special_use = \Sent
auto = subscribe
}
I think that is all (I'm posting this the next day after doing it, so I think I got it all...)
Postfix itself does not place copies of sent messages anywhere; it receives messages and delivers them to the recipient. Saving sent messages to your own mailbox is the responsibility of your user agent (Thunderbird, in your case).
It's important to understand that Postfix (and other traditional Unix SMTP servers) don't have a "user" concept. Yes, if so configured it's possible to authenticate by supplying a username and a password, but Postfix doesn't use this identity information.
That said, it's not impossible to configure Postfix to do what you expected – sender_bcc_maps can be used to add a recipient to messages sent by you, and by adding yourself and using a filter in your mail client (or mail delivery agent like procmail) you can make sure that messages sent by you end up in the Sent folder.
I am running a Installation with automatic copies created by sender_bcc_maps. It's working fine. You have to check the sender, otherwise everyone can create sent mails in foreign sent folders.
I have solved it with two virtual domains. One for the user and one for the copy.
But there is a big problem with sender_bcc_maps. All bcc senders will be deleted in the sent copy. You cannot see anymore, who got a blind copy of this mail.
As 'ego2dot0' said above, you don't need any MDA filters (sieve etc.) to do this. It can be done using Postfix alone, although it took me a while to figure out how to do it.
You have to use sender_bcc_maps AND virtual_mailbox_maps features together.
You have to use a virtual domain dedicated specially for copies to self. If your actual domain is "your.domain.tld", you can use eg. subdomain "copyself.your.domain.tld". This subdomain does not have to actually exist, ie. be defined in the DNS (moreover, it's better that it isn't defined, so nobody accidentally sends mail to it from outside). It is a purely virtual domain that is recognized only by Postfix.
1) Configure sender_bcc_maps to BCC mail coming from user#your.domain.tld to user#copyself.your.domain.tld. You can do it for only a few selected users using a regular "hash" type map, or you can do it for all users at once using PCRE type map and regular expressions.
2) You have to define your virtual domain in virtual_mailbox_domains, like this:
virtual_mailbox_domains=copyself.your.domain.tld
3) Configure virtual_mailbox_maps so that the destination mailbox for address "user#copyself.your.domain.tld" is the actual "Sent" mailbox of the user "user". For example (assumed that you are using regular system users and Maildir format - like in my case) the path to "Sent" mailbox for user "user" will be "/home/user/Maildir/.Sent". So, you can define common part of the path as virtual_mailbox_base, eg.
virtual_mailbox_base=/home
and then in the virtual mailbox map enter the rest of the path like this:
user#copyself.your.domain.tld user/Maildir/.Sent/
(the trailing / is important to indicate the Maildir format).
Again, you can use PCRE type map to do this for all users.
4) To properly save mail to the mailbox, Postfix need to also know the proper UID and GID for the particular user, so you have to use virtual_uid_maps and virtual_gid_maps parameters as well. If you are using virtual users, it's probably enough to define "static" type maps specifying a single UID and GID of the system user that owns all the virtual mailboxes. However, if you are using system users like me, you need the proper actual UID and GID for any user. If you have only a few users, you can use a regular "hash" type map, with entries like these:
user#copyself.your.domain.tld 2001
or you can try to setup a pipeline with "pipemap" map type, that uses some PCRE maps and "unix:passwd.byname" map to obtain the UIDs and GIDs for all users (I haven't done this part, as my Postfix installation is compiled without "pipemap" type support).
So to sum everything up, use something like this:
In /etc/postfix/main.cf file, add the following lines:
sender_bcc_maps=hash:/etc/postfix/sender_bcc
virtual_mailbox_domains=copyself.your.domain.tld
virtual_mailbox_base=/home
virtual_mailbox_maps=hash:/etc/postfix/copyself
virtual_uid_maps=hash:/etc/postfix/copyself_uids
virtual_gid_maps=hash:/etc/postfix/copyself_gids
/etc/postfix/sender_bcc contains a bunch of lines like:
user#your.domain.tld user#copyself.your.domain.tld
/etc/postfix/copyself contains - respectively - lines like:
user#copyself.your.domain.tld user/Maildir/.Sent/
/etc/postfix/copyself_uids and /etc/postfix/copyself_gids contain - respectively - lines like:
user#copyself.your.domain.tld 2001
I have done this on my server and it works great for me.
We use RH5.8 with ipv6 disabled.
named(bind) service is in forward mode (cache enabled)
options {
directory "/var/named";
listen-on { 127.0.0.1; };
forwarders {10.10.12.1;};
forward only;
};
It appears that some commands (like telnet) always query AAAA record in the first place and when fallback to query A record the answer (No such name) already in named caching.
As a result, clients are always getting an error.
in the example below, 10.10.10.1 is a local ip:
127.0.0.1 -> 127.0.0.1 DNS Standard query AAAA testapp.test.com
10.10.10.1 -> 10.10.12.1 DNS Standard query AAAA testapp.test.com
10.10.10.1 -> 10.10.12.1 DNS Standard query AAAA testapp.test.com
10.10.12.1 -> 10.10.10.1 DNS Standard query response, No such name
127.0.0.1 -> 127.0.0.1 DNS Standard query response, No such name
127.0.0.1 -> 127.0.0.1 DNS Standard query A testapp.test.com
127.0.0.1 -> 127.0.0.1 DNS Standard query response, No such name
I searched over net and discovered that not only me encountered with such problem
http://www.linuxforums.org/forum/red-hat-fedora-linux/136217-disabling-ipv6-dns-queries.html
less /etc/modprobe.conf
alias net-pf-10 off
alias ipv6 off
options ipv6 disable=1
less /etc/sysconfig/network
NETWORKING_IPV6=no
less /etc/sysconfig/named
OPTIONS="-4"
named -v
BIND 9.3.6-P1-RedHat-9.3.6-20.P1.el5
but unfortunately did not find any solution so far...
As requested in the comments: some explanation on negative cacheing.
The difference between NXDOMAIN and NODATA is described in section 5 of RFC 2308:
A negative answer that resulted from a name error (NXDOMAIN) should
be cached such that it can be retrieved and returned in response to
another query for the same <QNAME, QCLASS> that resulted in the
cached negative response.
So an NXDOMAIN can be cached based on the QNAME (i.e. "blabla.example.com.") and the QCLASS (usually "IN"). So it means that blabla.example.com does not exist at all. The negative cache entry is independent of the QTYPE. A NODATA answer is different:
A negative answer that resulted from a no data error (NODATA) should
be cached such that it can be retrieved and returned in response to
another query for the same <QNAME, QTYPE, QCLASS> that resulted in
the cached negative response.
Here is QTYPE (i.e. "AAAA") is included. A NODATA negative cache entry only means that this specific record type does not exist for this name.
So: If you receive an NXDOMAIN response then you know that the name doesn't exist at all for any record type. If you receive a NODATA response then you know that the requested record type does not exist, but other record types may exist.
This also means that when sending responses you should never send an NXDOMAIN response if there may be a valid record of a different record type for the same name. The non-existence of the domain name will be cached and the cache will start telling its clients that the name doesn't exist at all.
i want to request for an opt resource record message to dns server bind 9.
but i don't know the format and the server configration.
http://www.ietf.org/rfc/rfc2671.txt this doc is the edns doc.
i create the message formatted following the doc,but it doesn't work. server tell me format error.
the req message:
Question Record:
QName:a6.debian.com
QType:0x41(OPT type)
QClass:0x01(Internet)
Additional Record:
Resource Name:0xc0,0x0c( pointer to QName)
Resource Type:0x41
ResourceClass:512(udp payload size)
TimeToLive:0x1EF0000(split to extent-code version and Z)
ResourceDataLength:0x08
Rdata:(OPTRdata):
OptCode:0x4000
OptLength:0x04
OptData:0x0A,0x0A,0x0A,0x0A
What's wrong???Could you help me?
There's no OPT type record. OPT is pseudo-record type. You can not query for it. You use OPT to pass some specific parameters to DNS server, like EDNS. Besides it can appear in "ADDITIONAL" section only