Hi everyone. I am wondering if instead of specifying IPs and Ports in the above file, whether it is possible to specify domains. It would make it easier to add rules for applications.
Thanks
For example, Whatsapp uses multiple domains:
whatsapp.net
whatsapp.com
wa.me
wl.co
whatsapp-plus.info
whatsapp-plus.me
whatsapp-plus.net
whatsapp.cc
whatsapp.info
whatsapp.org
whatsapp.tv
whatsappbrand.com
Getting the IP for each of these domains would take a while.
If you have DNS enrichment the ‘whatsapp’ hosts should resolve and you can filter on that.
The app id lookup is if there is ‘option data’ in the flow record that we can reference. "NetObserv Flow will cache application attributes learned from option data. "
Let me know if this is helpful or if I have misunderstood the question.
Regards,
Dexter
1 Like
Doesn’t Name Resolution just enrich the:
flow.*.host.name
fields with a resolved RDNS lookup, rather than just an IP.
I thinks he’s asking about getting the:
app.*
fields populated with values from an ipport.yml entry with a DNS name, rather than an IP address, specified.
That is, he’s looking for an ipport.yml entry like:
whatsapp.com,whatsapp.net,whatsapp.org:
443:
name: whatsapp
category: instant-messaging
subcategory: consumer-multimedia-messaging
metadata:
app.group.name: other
to work,
rather than just an entry like,
31.13.67.52:
443:
name: whatsapp
category: instant-messaging
subcategory: consumer-multimedia-messaging
metadata:
app.group.name: other
All of the example entries for ipport.yml in the docs just show mappings of IP and Port, not DNS names:
Applications | ElastiFlow
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.