Namespace event caching

The Adaptive Security endpoint agent maintains a DNS lookup cache that records the result of every successful DNS name resolution attempt made on the endpoint. This cache can be referenced in rules by using the dnsmatch function, which checks for the existence of a mapping between a particular IP address and a domain name in the DNS lookup cache. If the mapping is present, the function returns TRUE.

The following alert rule matches when a process attempts to establish a connection to an IP address that maps to the name "www.nuix.com".

alert when network.action == NETFLOW_ESTABLISHED and

dnsmatch(network.remote.ipaddr, "www.nuix.com");

Fully qualified DNS names can be used with the dnsmatch function, as in the previous example. No trailing dot is necessary when specifying a fully qualified DNS name. Subdomains can also be used with the dnsmatch function. Subdomains must include a dot to the left of the name. For example, the following rule would match a connection to any host within the ".nuix.com" domain.

alert when network.action == NETFLOW_ESTABLISHED and

dnsmatch(network.remote.ipaddr, ".nuix.com");

The following rule would match any connection attempt to any IP address that maps to a name under the ".com" domain.

alert when network.action == NETFLOW_ESTABLISHED and

dnsmatch(network.remote.ipaddr, ".com");

The dnsmatch function can also be used to match against a list of DNS names as shown in the following example.

string dnsnames[]=

{

".dropbox.com",

".ru",

"perugemstones.com"

};

alert when network.action == NETFLOW_ESTABLISHED and

dnsmatch(network.remote.ipaddr, dnsnames);

‎