DNS Lookup Macros

[posted 2002/01/22]

Moving on to another security-related matter, we recently upgraded our ssh/sshd everywhere, and now PIKT is reporting a richer variety of authlog entries like

Jan 17 15:23:16 moscow sshd[4639]: [ID 800047 auth.info] Did not receive
  identification string from 216.232.8.2

and

Jan 16 08:47:05 moscow sshd[16341]: [ID 800047 auth.info] Failed password for
  root from 111.222.123.100 port 1393

(Some log entries we were seeing before; we're just now seeing more varieties of them.)

It's often the case that when investigating some of these log messages, we do a manual nslookup of the IP address.  Better:  Let PIKT do it!

We have implemented a couple of new DNS lookup macros:

addr2host(A)
                $trim($command("=nslookup (A) 2>/dev/null | =grep '^Name:' |
                                =cut -d: -f2"))


host2addr(H)
                $trim($command("=nslookup (H) 2>/dev/null | =grep '^Address:' |
                                =tail +2 | =cut -d: -f2"))

A sample use of =addr2host() is in AuthLogScanCritical:

AuthLogScanCritical

...

        rule
                if $inlin =~ "(.+)[[:space:]]([[:digit:]]{1,3}\\.[[:digit:]]{1,3}
                              \\.[[:digit:]]{1,3}\\.[[:digit:]]{1,3})(.*)"
                        set $il = "$1 $2 [" . =addr2host($2) . "]" . $3
                else
                        set $il = $inlin
                endif

...

In the rule above, we look for an IP address anywhere within the log entry. If found, we insert the corresponding hostname, enclosed within brackets, just after the address, and set $il to the revised input line.  Thereafter in the script, we refer to $il (and not the original, hostname-less input line, $inlin).

PIKT then reports $il later on in the script with, for example

        rule
                if $il =~ "attempt"
                        output mail =tracerule($il)
                        output log "=authlogscan_log" $il
                        next
                endif

(Don't worry about the =tracerule() macro.  That's a debugging macro, employing the still unannounced #rule() (#rulenumber()) function, which I'll have more to say about in a future posting.)

So, PIKT now reports log entries, with the IP address resolved, as in

Jan 17 15:23:16 moscow sshd[4639]: [ID 800047 auth.info] Did not receive
  identification string from 216.232.88.200 [a059e50wfb126ul.bk.hsia.telus.net]

and

Jan 16 08:47:05 moscow sshd[16341]: [ID 800047 auth.info] Failed password for root
  from 111.222.123.100 [cork.uppity.edu] port 1327

Much more meaningful and useful!

The PIKT scripting language doesn't (yet) have formal user-defined functions, but the =addr2host() and =host2addr() DNS lookup macros are further examples that PIKT macros will get (most of) the job done anyway.

For more examples, see Developer's Notes.