Farsight's Advanced Exchange Access, part 3 of 3

Sratunnel

This is the third article in a three-part blog series intended to introduce and acquaint the user with Farsight’s AXA suite. This piece introduces

sratunnel

and will show useful examples of how to invoke the tool using common use cases.

Finally, be it known this article is not an exhaustive treatise on

sratunnel

. For that, the reader is directed to the man page and the source code.

On last week’s episode…

Last week’s details kinda fuzzy? Let’s do a quick recap. In our last session, you learned about a handy gadget called

sratool

. This slick little doodad ishandy for standing up, examining and debugging Security Internet Exchange (SIE) Remote Access (SRA) sessions. But at the end of our last tutorial, you wondered aloud: “…this is cute but I need real-time bulk transfer of SIE databack to my network. Does this technology even exist in the modern world?”

Yes, yes it does.

The workhorse

sratunnel

is the workhorse of the AXA family. It is used to transfer SIE data from the remote server to the local network. It is what Farsight uses forproduction deployment of SIE data to the customer.

sratunnel

can be thought of as a fast, efficient, and smart conduit for SIE data. Data goes in one end and

sratunnel

has a variety of nozzles the user can custom fit on the other
end to emit the data into different output formats, including:

• NMSGs to a UDP port
• NMSGs to a TCP port
• NMSGs to a file
• pcap to a file
• pcap to a network interface

Tunnel Newly Observed Domains

We’ve already been over the fact that you made contact with Farsight sales and signed up to receive Farsight’s Newly Observed Domains (NOD) datafeed to watch newly active domains and ensure your users don’t visit any newly minted — often malicious — domains. That was lastweek. This time, instead of casually perusing young domains, you need to tunnelthe data to your local network for bulk analysis.

NMSG Primer

To consume the data in this tutorial, you’ll need another Farsight implementcalled

nmsgtool

. It is a deeply usefulall-purpose tool for working with NMSGs (network messages). NMSG is the formatFarsight uses to type, structure and package arbirtary data for transit. Muchof Farsight’s data is packaged and delivered as NMSG. A detailed discussion ofthe NMSG suite will be covered in future blog series. For now it’s justimportant to understand that you can work with NMSGs using

nmsgtool

. Onward!

This tutorial will show you, gallant Farsight datafeed customer, how to plumb the Newly Observed Domains (NOD) feed from SIE to your local network,in real time. Commands and their output are listed with discussion below.

1 $ sratunnel -s 'ssh:

• option instructs the tool where andhow to connect. The option string should look familiar, it’s the same oneused with

• Line 1: Invoke sratunnel. The

-s

sratool

• with the same intent and results. Securely connect viaSSH as

sra-service

• to

sra-eft.sie-remote.net

• .
• Line 2: The -c option sets the channel you want to stream. We want NODwhich is channel 211.
• Line 3: The -w option sets the watch. You learned last week that a watchis how to inform the tool what to look for. In this case, everything onchannel 211.
• Line 4: Finally, we specify -o, which tells

sratunnel

• where to put thedata it streams. In the case above, we’ve snapped on a shiney new “NMSGsto localhost on port 8430” nozzle and that’s where we’ll find our output.

Well done! You’ve plumbed your first SRA session. Data is aflowin’. Let’s builda small corpus and have a look…

5 $ nmsgtool -l 127.0.0.1/8430 \
6 > -c 20000 \
7 > -o channel-211.txt
8 $ head -8 channel-211.txt
9 [98] [2014-12-16 23:31:06.438992023] [2:5 SIE newdomain] [a1ba02cf] [] []
10 domain: befrenshee.com.
11 time_seen: 2014-12-16 23:28:19
12 rrname: befrenshee.com.
13 rrclass: IN (1)
14 rrtype: NS (2)
15 rdata: ns67.domaincontrol.com.
16 rdata: ns68.domaincontrol.com.
17 $ grep ^domain: channel-211.txt | awk '{print $2}' > NOD.txt


• Line 5: We use nmsgtool to connect to the loopback address on port

8430

• .
• Line 6: The -c option specifies a maximum count of payloads to capture.
• Line 7: The -o option tells

nmsgtool

• to write presentation output to afile.
• Line 8: Let’s examine one entry…
• Line 9: Each NMSG datagram contains a fixed-length header containing the message size, a UTC timestamp, the message type, a 32-bit source identifierand optional SIE operator and group codes (both empty in this case).
• Line 10: The fresh young domain, hot off the press!
• Line 11: How fresh? At the time of this writing, that timestamp of when thedomain was observed was just over two minutes old.
• Lines 12-16: The DNS meta-data associated with the domain.
• Line 17: You’re free to manipulate the data however you see fit. As per theabove, you can take the list of 20,000 young domains and feed the file intothe young domain crunching automation of your choice… :)

Denouement

We learned how to invoke

sratunnel

and configure it to emit Farsight’s NewlyObserved Domain traffic to a local NMSG listener. We then built up a smalltreasure trove of brand new domains and saw how to use standard Unix shelltools to manipulate the data.

This wraps our introductory series on AXA. In future blog series, we’ll buildon this knowledge and explore the AXA C and Python APIs so you can learn tobuild your own SRA-aware tools. Until next time!

Special thanks to Joe St. Sauver from whose well-written article I cherry picked an example.

Mike Schiffman is a Senior Distributed Systems Engineer for Farsight Security,Inc.