OverviewThreatSTOP DNS Firewall Reporting focuses on delivering high-quality easily understood reports to Network Administrators and Security Professionals. This allows for rapid evaluation and remediation of threats to a network. The bulk of this process is controlled through a selection of filters that ring down as the user moves through the data.
Basic filter functions are:
- Date Range: This is the period that the report covers. Available values are:
- Last 24 Hours
- Last 7 Days
- Last 30 Days
Severity: The severity level of the threat recorded, threat levels break down into five levels in order of increasing severity.Threat Severity Matrix, click to expand
Devices: Contains a list of firewall devices associated with your account. This can help limit the returns to a specific firewall device.
- Client IP: Allows the entry of an IP address range (in CIDR format, or longhand) to limit returns in reporting.
- Target Groups: Limits the returned Targets to the selected types.
- Queried Name: Can search for a domain name in the log files.
Action Taken: Limits results based on what actions were taken with the network traffic.
These are all enabled by default and will return data for each result. Unticking the box will hide returned data.
- Blocked (NXDOMAIN): Network traffic is blocked with a "no such domain" error.
- Blocked (NODATA): Network traffic is blocked with no data regarding the domain's existence.
- Blocked (DROP): Network traffic is dropped, with no information provided to the requesting service.
- Pass-Through: Network traffic may access the requested system.
- Redirected: Network traffic is that have been pointed to a different location such as a Walled Garden.
- Advanced Target Settings:
- Only targets present in policy: This filter will limit the returned results to only those targets in the current policy, and does not include returns from lists not included in the chosen policy.
- Trigger type: Includes targets based on the action that triggered the firewall to take an action.
- QNAME: the Qualified Name (QNAME) matches an entry in the RPZ.
- NSDNAME: the Name Server Domain Name (NSDNAME) matches an entry in the RPZ.
- RPZ-IP: the Response Policy Zone (RPZ) requested matches an entry in the RPZ.
- NSIP: Name Server IP address (NSIP) matches and entry in the RPZ.
- Policies: Limits returned data to the policy selected.
As filters are changed a box will appear at the top of the filter stack labeled Filter Information. This box will show how many records the filter set will return, with smaller returns displaying faster. This can also be helpful in building a filter strategy for your returned results in the Report Details section.
DashboardThe Dashboard screen summarizes the number of requests for severity, the machines in each severity, and the request types for each threat group recorded by the firewall. It also introduces filters to limit the data returned by the report. After selecting the base filter parameters as denoted in the overview, bar graphs showing returns for the result types will appear:
- # of Requests for each Severity: cumulative result, based on your filter settings, for the number of threats documented by severity level.
- # of Machines for each Severity: number of devices with reported connection attempts.
- # of Requests for each Threat Group: number of Threat Types attempting to make a connection using your network.
Threat SummaryThe Threat Summary screen is brought up either by selecting it from the RPZ Reports drop-down or by clicking on a results bar in the Dashboard. Across the top of the screen, a bar graph will appear with a visual representation of the cumulative attacks classed as each Severity level.
Any filter settings applied to the dashboard will carry through to following screens, but will not carry back to previous screens. For example, moving from Dashboard > Threat Summary will carry over the filter settings, but using the Back button to return to the Dashboard will reset the filter settings to their default state.
This report breaks down the count of connection attempts per severity level, from five (the most critical) to any User Defined threats. Each connection type is noted and the number of connection attempts made. The breakdown is provided in an accordion list, any severity levels that do not return results will appear collapsed, while severity levels that return results will list them with the following data:
- Threat Severity: How questionable the target is. Severity 5 threats are listed at the top, and the Severity 0 are listed at the bottom.
- Target: Threat List entry associated with the URI being accessed. In our example, a botted computer attempted to access a URI associated with DCNC - BOTNET DOMAINS.
- Matches: number of times a device attempted to access the associated URI. Staying with our example the machine(s) attempted to access the URI associated with DCNC - BOTNET DOMAINS 2,178 times.
User Defined threats are not afforded a higher severity due to their uncertain nature. If you, the user, feel that a User Defined threat is important to remediate then you can use the information provided here to discover the source of the attack.
Clicking on the line associated with the threat you want to investigate will drill down to the Report Details, this will open a list of, up to, 5,000 connection attempts to the Target clicked on.
Client IP SummaryThe Client IP Summary breaks down threats as they were seen by client IP addresses. These are then refined by severity level, cumulative communications for that severity level, then by the Target type and number of communication attempts for each target type.
The bar graph shows threats by severity in least-to-worst order. Severity Zero threats are always displayed on top, and severity Five threats are always displayed on the bottom. The listed breakout is displayed in an identical fashion. Clicking on a severity will display the Report Details screen, for only the threats in that severity level. Clicking a threat will display all entries for attempts to connect to threats in the target.
The fields returned by this report are:
- IP Address: listing for the device that made the request. This device will have attempted to communicate with an FQDN in the target list.
- Threat Severity: How questionable the target is. User-Defined targets are listed first, with the worst offenders (Severity 5) listed at the bottom.
- Threat Target: The target type that the device was attempting to communicate with, the potential target types and their severity can be seen in DNS Firewall Reporting.
- Connection Attempts: The number of times a single device in the filter attempted to communicate with a threat target.
The returned results from this report are limited to the IP address for the device for which any sub-report has been selected.
Combined SummarySimilar to the Client IP report, the Combined Summary report returns all recorded communications by all clients. The bar graph is laid out in an identical fashion to the Client IP report, with the highest Severity issues on the bottom, and the lowest priority at the top. The primary difference is in the report itself. The report is not broken down by individual IP address instead, the displayed results are the cumulative result of all devices in the report that match the chosen criteria. These results can then be drilled down into which will bring up the Report Details screen, allowing the individual devices making these communication attempts to be viewed.
Fields displayed for the report include:
- Threat Severity: How questionable the target is. Severity 5 are listed at the top, and Severity 0 are listed at the bottom.
- Threat Target: The target type with which the device was attempting to communicate.
- Connection Attempts: The number of times all devices in the filter attempted to communicate with a threat target.
Date SummaryThe DNS Date Summary shows communications attempts based on the date and Severity level of the communications. The report itself shows the number of communication attempts, the date of the attempts, and the severity level with each higher severity level having a brighter shade of red. These settings can increase the resolution of the returned results:
- Date Summary Reporting Period: Adjusts how fine-grained the returned results are, available values are:
- Hourly: Shows communications attempts by the hour and day.
- Daily: Shows communications attempts for the day.
- Weekly: Shows communications attempts for the week.
- Monthly: Shows communications attempts for the month.
- Hourly: Shows communications attempts by the hour and day.
- Inbound/Outbound: This switch returns results based on the direction the traffic was flowing, into the network or out of the network respectively.
The reports themselves contain the following data:
- A timestamp showing the date and time a communication was made. This is up to the nearest hour with hourly reports.
- Below this the returned values are processed out by severity level and the number of connection attempts for that severity.
Report DetailsThis report establishes details about the devices attempting to connect to a threat, 50 entries at a time, with up to 5,000 total threats displayed for a filter set.
The number of entries shown can be adjusted using the Show ## entries drop-down menu.
Data is broken up into columns and displayed in a tabular format, columns displayed can be controlled using the Columns button. The data can be sorted by clicking the column header. This will reprioritize the order that data is provided.
The settings are available, columns not turned on by default are noted:
Time: Date and time a connection attempt to the requested FQDN was made. This is displayed in this format:
Device: Nickname of the device that processed the request.
- Client IP: IP Address of the Client that made the FQDN request. Devices listed here should be taken down for remediation. This is a default setting.
- FQDN Requested: The URI for the FQDN the system was attempting to contact.
- Action: The action performed by the device, these can be one of four default settings or several custom settings as provided by Policies & Lists > RPZ Behaviors default behaviors include:
- NXDOMAIN: Returns a message saying the domain does not exist.
- NODATA: Returns no data to inquiries about the domain's existence.
- PASSTHRU: Packets from domains associated with this rule may communicate with services inside your network.
- DROP: Packets from domains associated with this rule will receive no response. The data is simply dropped, and your network appears to be down or otherwise invisible from the attacker's perspective.
- Cause: The reason the action was taken, can be one of two reasons:
- QNAME: The FQDN is listed in an RPZ threat list.
- IP: The IP address associated with the domain hosts malicious attacks.
- Record: Contains the FQDN, or IP address that the client device attempted to reach.
- Targets: Details which Threat Intelligence list the Target is listed in.
- ID: This is a hash of the log line in the report. This is used for diagnostic purposes, and may occasionally be requested by ThreatSTOP Support.
The returned results can be exported in a CSV file by clicking on the Export to CSV button. This will compile the results into a Comma Separated Value (CSV) file that can be processed by most spreadsheet programs.
The deepest level of reporting will feed the target under investigation into our Check IOC utility.