Sratunnel
This is the third article in a three-part blog series intended to introduce and acquaint the user with Farsight’s AXA suite. This piece introduces sratunnel and will show useful examples of how to invoke the tool using common use cases.
Finally, be it known this article is not an exhaustive treatise on sratunnel.
For that, the reader is directed to the man page and the source code.
On last week’s episode…
Last week’s details kinda fuzzy? Let’s do a quick recap. In our last session,
you learned about a handy gadget called sratool. This slick little doodad is
handy for standing up, examining and debugging Security Internet Exchange (
SIE) Remote Access (SRA) sessions. But at the end of our last tutorial, you
wondered aloud: “…this is cute but I need real-time bulk transfer of SIE data
back to my network. Does this technology even exist in the modern world?”
Yes, yes it does.
The workhorse
sratunnel is the workhorse of the AXA family. It is used to transfer SIE data
from the remote server to the local network. It is what Farsight uses for
production deployment of SIE data to the customer. sratunnel can be thought
of as a fast, efficient, and smart conduit for SIE data. Data goes in one end
and sratunnel has a variety of nozzles the user can custom fit on the other
end to emit the data into different output formats, including:
- NMSGs to a UDP port
- NMSGs to a TCP port
- NMSGs to a file
- pcap to a file
- pcap to a network interface
Tunnel Newly Observed Domains
We’ve already been over the fact that you made contact with Farsight sales and signed up to receive Farsight’s Newly Observed Domains (NOD) datafeed to watch newly active domains and ensure your users don’t visit any newly minted — often malicious — domains. That was last week. This time, instead of casually perusing young domains, you need to tunnel the data to your local network for bulk analysis.
NMSG Primer
To consume the data in this tutorial, you’ll need another Farsight implement
called nmsgtool. It is a deeply useful
all-purpose tool for working with NMSGs (network messages). NMSG is the format
Farsight uses to type, structure and package arbirtary data for transit. Much
of Farsight’s data is packaged and delivered as NMSG. A detailed discussion of
the NMSG suite will be covered in future blog series. For now it’s just
important to understand that you can work with NMSGs using nmsgtool. Onward!
This tutorial will show you, gallant Farsight datafeed customer, how to plumb the Newly Observed Domains (NOD) feed from SIE to your local network, in real time. Commands and their output are listed with discussion below.
1 $ sratunnel -s 'ssh:[email protected]' \ 2 > -c 211 \ 3 > -w ch=211 \ 4 > -o nmsg:udp:127.0.0.1,8430
- Line 1: Invoke
sratunnel. The-soption instructs the tool where and how to connect. The option string should look familiar, it’s the same one used withsratoolwith the same intent and results. Securely connect via SSH assra-servicetosra-eft.sie-remote.net. - Line 2: The
-coption sets the channel you want to stream. We want NOD which is channel 211. - Line 3: The
-woption sets the watch. You learned last week that a watch is how to inform the tool what to look for. In this case, everything on channel 211. - Line 4: Finally, we specify
-o, which tellssratunnelwhere to put the data it streams. In the case above, we’ve snapped on a shiney new “NMSGs to localhost on port 8430” nozzle and that’s where we’ll find our output.
Well done! You’ve plumbed your first SRA session. Data is aflowin’. Let’s build a small corpus and have a look…
5 $ nmsgtool -l 127.0.0.1/8430 \
6 > -c 20000 \
7 > -o channel-211.txt
8 $ head -8 channel-211.txt
9 [98] [2014-12-16 23:31:06.438992023] [2:5 SIE newdomain] [a1ba02cf] [] []
10 domain: befrenshee.com.
11 time_seen: 2014-12-16 23:28:19
12 rrname: befrenshee.com.
13 rrclass: IN (1)
14 rrtype: NS (2)
15 rdata: ns67.domaincontrol.com.
16 rdata: ns68.domaincontrol.com.
17 $ grep ^domain: channel-211.txt | awk '{print $2}' > NOD.txt
- Line 5: We use
nmsgtoolto connect to the loopback address on port8430. - Line 6: The
-coption specifies a maximum count of payloads to capture. - Line 7: The
-ooption tellsnmsgtoolto write presentation output to a file. - Line 8: Let’s examine one entry…
- Line 9: Each NMSG datagram contains a fixed-length header containing the message size, a UTC timestamp, the message type, a 32-bit source identifier and optional SIE operator and group codes (both empty in this case).
- Line 10: The fresh young domain, hot off the press!
- Line 11: How fresh? At the time of this writing, that timestamp of when the domain was observed was just over two minutes old.
- Lines 12-16: The DNS meta-data associated with the domain.
- Line 17: You’re free to manipulate the data however you see fit. As per the above, you can take the list of 20,000 young domains and feed the file into the young domain crunching automation of your choice… :)
Denouement
We learned how to invoke sratunnel and configure it to emit Farsight’s Newly
Observed Domain traffic to a local NMSG listener. We then built up a small
treasure trove of brand new domains and saw how to use standard Unix shell
tools to manipulate the data.
This wraps our introductory series on AXA. In future blog series, we’ll build on this knowledge and explore the AXA C and Python APIs so you can learn to build your own SRA-aware tools. Until next time!
Special thanks to Joe St. Sauver from whose well-written article I cherry picked an example.
Mike Schiffman is a Senior Distributed Systems Engineer for Farsight Security, Inc.
