While looking for timeouts in splunk for an unrelated reason…
I noticed the Amazon IP’s above. We normally don’t know the service they represent. I connected to the IP in my browser on port 443, and noticed that of course the certificate fails, but exposes the domain name…
Since I wanted to automate this, I found you can programmatically get this with the following python snippet. The libraries other than splunklib are part of the stock install, and easily obtainable in any case.
There may be a splunk plugin for this, as well, but my guess is not.
import splunklib.client as client
import splunklib.results as results
import sys, socket, ssl
service = client.connect(host="mysplunk.com",port="8089",username="ad_username",password="************")
job = """
search sourcetype=cisco:asa \"SYN Timeout\" \"outside:52.\"
| eval tmp=split(_raw,\"outside:\")
| eval tmp2=mvindex(tmp,1)
| eval tmp3=split(tmp2,\"/\")
| eval tmp4=mvindex(tmp3,0)
| dedup tmp4
"""
rr = results.ResultsReader(service.jobs.oneshot(job,**{"earliest_time":"2017-05-20T00:00:00.000-05:00",
"latest_time":"2017-05-27T00:00:00.000-05:00",
"count": 0}))
for result in rr:
try:
hostname = result['tmp4']
ctx = ssl.create_default_context()
s = ctx.wrap_socket(socket.socket(), server_hostname=hostname)
try:
s.connect((hostname, 443))
except:
print hostname,sys.exc_info()[1]
except:
print sys.exc_info()[1]
This results in the following…
c:\>python.exe getcert.py 52.72.186.111 hostname '52.72.186.111' doesn't match either of '*.adobecqms.net', 'adobecqms.net' 52.203.237.77 hostname '52.203.237.77' doesn't match either of 'apiv2.shoprunner.com', 'www.apiv2.shoprunner.com' 52.206.185.128 hostname '52.206.185.128' doesn't match either of '*.cylance.com', 'cylance.com' 52.207.41.45 hostname '52.207.41.45' doesn't match either of '*.sd-ngp.net', 'sd-ngp.net' 52.6.51.155 hostname '52.6.51.155' doesn't match either of '*.adobecqms.net', 'adobecqms.net' 52.201.105.81 hostname '52.201.105.81' doesn't match either of '*.express.com', 'express.com' 52.44.140.162 hostname '52.44.140.162' doesn't match '*.awana.org' 52.203.43.217 [Errno 10061] No connection could be made because the target machine actively refused it 52.45.138.103 hostname '52.45.138.103' doesn't match '*.test.ultradns.net' c:\>
Of course, this only works on SSL, but since most services are on SSL, this should work most of the time.
Another caveat is that if the IP is not a fixed Elastic IP address, the domain associated with it very well could have changed. The sooner you run what is above after the IP address has been identified, the more likely it is to be discernible.