Feature #10466
open
Add checkbox to Suricata blocked host view to resolve all resolvable IP's automatically
0%
Description
Manually resolving individual IP's is cumbersome when I want to get a holistic view of the blocked hosts. Also, resolving the IP's on everything might help me catch falsely flagged blocks by sticking out as having a legitimate use source.
While resolving these may result in additional DNS queries, I feel like it provides value for the use case.
Updated by tasty ratz about 2 years ago
Wanted to bump this one up since it hasn't had any activity in the last few years.
Updated by Bill Meeks about 2 years ago
I am hesitant about adding this feature. If there are lots of blocked IP entries (which you reference in a different feature request you also posted where you want the block entries sortable by timestamp), it can take a very, very long time to resolve all the IPs. That's a lot of busywork for perhaps not much benefit in my opinion. You certainly don't want the page to "freeze" when building while waiting for the DNS resolutions on the initial load of the page. While it can be done with Ajax post backs, that can be a bit cumbersome to implement.
I guess I need more convincing that it is a large enough problem ... :)
Bill
Updated by tasty ratz about 2 years ago
Bill Meeks wrote in #note-2:
I am hesitant about adding this feature. If there are lots of blocked IP entries (which you reference in a different feature request you also posted where you want the block entries sortable by timestamp), it can take a very, very long time to resolve all the IPs. That's a lot of busywork for perhaps not much benefit in my opinion. You certainly don't want the page to "freeze" when building while waiting for the DNS resolutions on the initial load of the page. While it can be done with Ajax post backs, that can be a bit cumbersome to implement.
I guess I need more convincing that it is a large enough problem ... :)
Bill
Hi Bill,
Well, if we're worried about initial page loads, what about a button for "resolve all"?
We could run down the use case if it helps.
Let's say I think I have a service that stops working. I don't quite know what time it was it was working last... yesterday? The day before? I might have thousands of alerts to sift through and identify.
I'll look at the blocked lists (tons of entries) and scroll till I see something that looks like it might be a false block - that's assuming it sticks out at me.
Otherwise, I need to run down the list individually checking the name and geo data until I find what looks like the culprit. That's hundreds of individual clicks. The problem is it's a lot easier to clear all than it is to match it up. I'd rather read the entries as I scroll the page whenever possible.
Full population also might help me recognize other activity I wasn't looking for like whoops, there were 3 entries I needed, not just the 1 I saw. It also gives an at a glance for suspicious patterns like a lot of blocks coming from similar places.
I might want to take extra steps for safety or look at other activity in my network.
Or, maybe I see a lot of addresses that look like they are from xyzonline.com. I need/use that service! I didn't even know it was blocked. no wonder it's been acting up lately!
My other request on time having it's own column is another way to help correlate blocked entries to time of impact, good or bad. Since I can't really sort by time right now I can't easily correlate activity with block entries. I end up copying a timestamp, doing control-f and pasting it, then trying a bunch of different suspected times/dates till one gets a hit.
The other alternative is to query DNS at time of block and store the results with the IP then retrieve that all the same. Then you have accurate results at time of block and there are no queries to run in the UI at the expense of a few trivial dns queries. DNS makes it a little more human-readable.
I hope that helps explain my thought process on these. Appreciate the time!