Farsight's Advanced Exchange Access, part 3 of 3

← Blog Home

By

Sratunnel

This is the third article in a three-part blog series intended to introduce and acquaint the user with Farsight’s AXA suite. This piece introduces sratunnel and will show useful examples of how to invoke the tool using common use cases. While it’s not mandatory that you’ve read the previous two articles, it’s really awfully helpful if you have. I’ll make it easy, first go here and then go here. See? Now you’re smart.

Finally, be it known this article is not an exhaustive treatise on sratunnel. For that, the reader is directed to the man page and the source code.

On last week’s episode…

Last week’s details kinda fuzzy? Let’s do a quick recap. In our last session, you learned about a handy gadget called sratool. This slick little doodad is handy for standing up, examining and debugging Security Internet Exchange ( SIE) Remote Access (SRA) sessions. But at the end of our last tutorial, you wondered aloud: “…this is cute but I need real-time bulk transfer of SIE data back to my network. Does this technology even exist in the modern world?”

Yes, yes it does.

The workhorse

sratunnel is the workhorse of the AXA family. It is used to transfer SIE data from the remote server to the local network. It is what Farsight uses for production deployment of SIE data to the customer. sratunnel can be thought of as a fast, efficient, and smart conduit for SIE data. Data goes in one end and sratunnel has a variety of nozzles the user can custom fit on the other
end to emit the data into different output formats, including:

  • NMSGs to a UDP port
  • NMSGs to a TCP port
  • NMSGs to a file
  • pcap to a file
  • pcap to a network interface
Tunnel Newly Observed Domains

We’ve already been over the fact that you made contact with Farsight sales and signed up to receive Farsight’s Newly Observed Domains (NOD) datafeed to watch newly active domains and ensure your users don’t visit any newly minted – often malicious – domains. That was last week. This time, instead of casually perusing young domains, you need to tunnel the data to your local network for bulk analysis.

NMSG Primer

To consume the data in this tutorial, you’ll need another Farsight implement called nmsgtool. It is a deeply useful all-purpose tool for working with NMSGs (network messages). NMSG is the format Farsight uses to type, structure and package arbirtary data for transit. Much of Farsight’s data is packaged and delivered as NMSG. A detailed discussion of the NMSG suite will be covered in future blog series. For now it’s just important to understand that you can work with NMSGs using nmsgtool. Onward!

This tutorial will show you, gallant Farsight datafeed customer, how to plumb the Newly Observed Domains (NOD) feed from SIE to your local network, in real time. Commands and their output are listed with discussion below.

    1    $ sratunnel -s 'ssh:sra-service@sra-eft.sie-remote.net' \
    2    > -c 211                                                \
    3    > -w ch=211                                             \
    4    > -o nmsg:udp:127.0.0.1,8430
  • Line 1: Invoke sratunnel. The -s option instructs the tool where and how to connect. The option string should look familiar, it’s the same one used with sratool with the same intent and results. Securely connect via SSH as sra-service to sra-eft.sie-remote.net.
  • Line 2: The -c option sets the channel you want to stream. We want NOD which is channel 211.
  • Line 3: The -w option sets the watch. You learned last week that a watch is how to inform the tool what to look for. In this case, everything on channel 211.
  • Line 4: Finally, we specify -o, which tells sratunnel where to put the data it streams. In the case above, we’ve snapped on a shiney new “NMSGs to localhost on port 8430” nozzle and that’s where we’ll find our output.

Well done! You’ve plumbed your first SRA session. Data is aflowin’. Let’s build a small corpus and have a look…

    5     $ nmsgtool -l 127.0.0.1/8430 \
    6     > -c 20000                   \
    7     > -o channel-211.txt
    8     $ head -8 channel-211.txt 
    9     [98] [2014-12-16 23:31:06.438992023] [2:5 SIE newdomain] [a1ba02cf] [] []
    10    domain: befrenshee.com.
    11    time_seen: 2014-12-16 23:28:19
    12    rrname: befrenshee.com.
    13    rrclass: IN (1)
    14    rrtype: NS (2)
    15    rdata: ns67.domaincontrol.com.
    16    rdata: ns68.domaincontrol.com.
    17    $ grep ^domain: channel-211.txt | awk '{print $2}' > NOD.txt
  • Line 5: We use nmsgtool to connect to the loopback address on port 8430.
  • Line 6: The -c option specifies a maximum count of payloads to capture.
  • Line 7: The -o option tells nmsgtool to write presentation output to a file.
  • Line 8: Let’s examine one entry…
  • Line 9: Each NMSG datagram contains a fixed-length header containing the message size, a UTC timestamp, the message type, a 32-bit source identifier and optional SIE operator and group codes (both empty in this case).
  • Line 10: The fresh young domain, hot off the press!
  • Line 11: How fresh? At the time of this writing, that timestamp of when the domain was observed was just over two minutes old.
  • Lines 12-16: The DNS meta-data associated with the domain.
  • Line 17: You’re free to manipulate the data however you see fit. As per the above, you can take the list of 20,000 young domains and feed the file into the young domain crunching automation of your choice… :)

Denouement

We learned how to invoke sratunnel and configure it to emit Farsight’s Newly Observed Domain traffic to a local NMSG listener. We then built up a small treasure trove of brand new domains and saw how to use standard Unix shell tools to manipulate the data.

This wraps our introductory series on AXA. In future blog series, we’ll build on this knowledge and explore the AXA C and Python APIs so you can learn to build your own SRA-aware tools. Until next time!

Special thanks to Joe St. Sauver from whose well-written article I cherry picked an example.

Mike Schiffman is a Senior Distributed Systems Engineer for Farsight Security, Inc.

← Blog Home

Protect against cybercriminal activity in real-time.

Request demo

Email: sales@farsightsecurity.com Phone: +1-650-489-7919