ARMR DNS Rule
Overview
The DNS security rule provides the ability to log and restrict DNS lookups performed by any application running on the Java Virtual Machine. By restricting DNS lookups to known and trusted domains, abuse of the DNS service can be prevented.
The DNS rule begins with a dns keyword and ends with an enddns keyword, it must contain the rule name as a parameter and this is an arbitrary string, hence it needs to be surrounded with double-quotes.
The rule cannot contain duplicate statements, however multiple dns rules are allowed in the same ARMR application, and the order of statements inside the dns rule does not matter.
Given (Condition)
| lookup | The lookup takes a single parameter (string literal) where valid values are a quoted-hostname, a quoted-IPv4 address, or the constant any indicating any hostname or IPv4 address. |
lookup("waratek.com")
lookup("127.0.0.1")
lookup(any)
IPv6 addresses are not currently supported. |
Then (Action)
An Action accepts a message as its parameter.
An action may, optionally, specify a severity. The value of severity may be an integer in the range of 0-10(0 is the lowest level and 10 is the highest level) or one of Low, Med``ium, High or Very-High(case insensitive). The default severity is unknown.
| protect | The DNS lookup is not allowed to proceed. If configured, a log message is generated with details of the event. |
| detect | Monitoring mode: the application behaves as normal, the DNS lookup is allowed to proceed. If configured, a log message is generated detailing that the agent has detected an attempt to carry out a DNS lookup. |
| allow | Can be used to allow specific IP addresses/hostnames to be looked up without being blocked by other DNS rule(s). |
Logging
A log entry similar to the following is generated when the below dns rules identify a DNS lookup, respectively:
<10>1 2020-07-15T16:23:32.857+01:00 XPS-15-9570 java 20329 - - CEF:0|ARMR:DNS lookup mod|DNS lookup mod|2.2|Blocking address resolution for waratek.com|Execute Rule|High|rt=Jul 15 2020 16:23:32.817 +0100 dvchost=XPS-15-9570 procid=20329 outcome=success act=protect msg=dns lookup occurred for waratek.com hostname=waratek.com
<12>1 2020-07-15T16:31:10.692+01:00 XPS-15-9570 java 20861 - - CEF:0|ARMR:DNS lookup mod|DNS lookup mod|2.2|Detecting address resolution for localhost|Execute Rule|Medium|rt=Jul 15 2020 16:31:10.691 +0100 dvchost=XPS-15-9570 procid=20861 outcome=success act=detect msg=dns lookup event hostname=127.0.0.1
<12>1 2020-07-15T16:34:51.199+01:00 XPS-15-9570 java 21064 - - CEF:0|ARMR:DNS lookup mod|DNS lookup mod|2.2|Detecting address resolution for any host/ip|Execute Rule|Medium|rt=Jul 15 2020 16:34:51.160 +0100 dvchost=XPS-15-9570 procid=21064 outcome=success act=detect msg=dns lookup event hostname=www.waratek.com
Examples
app("DNS lookup mod"):
requires(version: ARMR/2.2)
dns("Blocking address resolution for waratek.com"):
lookup("waratek.com")
protect(message: "dns lookup occurred for waratek.com", severity: 8)
enddns
endapp
app("DNS lookup mod"):
requires(version: ARMR/2.2)
dns("Detecting address resolution for localhost"):
lookup("127.0.0.1")
detect(message: "dns lookup event", severity: 6)
enddns
endapp
app("DNS lookup mod"):
requires(version: ARMR/2.2)
dns("Detecting address resolution for any host/ip"):
lookup(any)
detect(message: "dns lookup event", severity: 4)
enddns
endapp