<\/p>\nWhile looking for timeouts in splunk for an unrelated reason\u2026<\/p>\n
<\/p>\n
I noticed the Amazon IP\u2019s above. We normally don\u2019t know the service they represent. I connected to the IP in my browser on port 443, and noticed that of course the certificate fails, but exposes the domain name\u2026<\/p>\n
<\/p>\n
Since I wanted to automate this, I found you can programmatically get this with the following python snippet. The libraries other than splunklib are part of the stock install, and easily obtainable in any case.<\/p>\n
There may be a splunk plugin for this, as well, but my guess is not.<\/p>\n
\r\nimport splunklib.client as client\r\nimport splunklib.results as results\r\nimport sys, socket, ssl\r\n\r\nservice = client.connect(host=\"mysplunk.com\",port=\"8089\",username=\"ad_username\",password=\"************\")\r\n\r\njob = \"\"\"\r\nsearch sourcetype=cisco:asa \\\"SYN Timeout\\\" \\\"outside:52.\\\" \r\n | eval tmp=split(_raw,\\\"outside:\\\") \r\n | eval tmp2=mvindex(tmp,1) \r\n | eval tmp3=split(tmp2,\\\"\/\\\") \r\n | eval tmp4=mvindex(tmp3,0) \r\n | dedup tmp4\r\n\"\"\"\r\n\r\nrr = results.ResultsReader(service.jobs.oneshot(job,**{\"earliest_time\":\"2017-05-20T00:00:00.000-05:00\",\r\n \"latest_time\":\"2017-05-27T00:00:00.000-05:00\",\r\n \"count\": 0}))\r\nfor result in rr:\r\n try:\r\n hostname = result['tmp4']\r\n ctx = ssl.create_default_context()\r\n s = ctx.wrap_socket(socket.socket(), server_hostname=hostname)\r\n try:\r\n s.connect((hostname, 443))\r\n except:\r\n print hostname,sys.exc_info()[1]\r\n except:\r\n print sys.exc_info()[1]\r\n<\/pre>\nThis results in the following\u2026<\/p>\n
\r\nc:\\>python.exe getcert.py\r\n52.72.186.111 hostname '52.72.186.111' doesn't match either of '*.adobecqms.net', 'adobecqms.net'\r\n52.203.237.77 hostname '52.203.237.77' doesn't match either of 'apiv2.shoprunner.com', 'www.apiv2.shoprunner.com'\r\n52.206.185.128 hostname '52.206.185.128' doesn't match either of '*.cylance.com', 'cylance.com'\r\n52.207.41.45 hostname '52.207.41.45' doesn't match either of '*.sd-ngp.net', 'sd-ngp.net'\r\n52.6.51.155 hostname '52.6.51.155' doesn't match either of '*.adobecqms.net', 'adobecqms.net'\r\n52.201.105.81 hostname '52.201.105.81' doesn't match either of '*.express.com', 'express.com'\r\n52.44.140.162 hostname '52.44.140.162' doesn't match '*.awana.org'\r\n52.203.43.217 [Errno 10061] No connection could be made because the target machine actively refused it\r\n52.45.138.103 hostname '52.45.138.103' doesn't match '*.test.ultradns.net'\r\n\r\nc:\\>\r\n<\/pre>\nOf course, this only works on SSL, but since most services are on SSL, this should work most of the time.<\/p>\n
Another caveat is that if the IP is not a fixed Elastic IP address, the domain associated with it very well could have changed. The sooner you run what is above after the IP address has been identified, the more likely it is to be discernible.<\/p>\n","protected":false},"excerpt":{"rendered":"
While looking for timeouts in splunk for an unrelated reason\u2026 I noticed the Amazon IP\u2019s above. We normally don\u2019t know the service they represent. I connected to the IP in my browser on port 443, and noticed that of course…<\/p>\n