ARMR DNS Rule
Overview
The DNS security rule provides the ability to log and restrict DNS lookups performed by any application running on the Java Virtual Machine. By restricting DNS lookups to known and trusted domains, abuse of the DNS service can be prevented.
The DNS rule begins with a dns keyword and ends with an enddns keyword, it must contain the rule name as a parameter and this is an arbitrary string, hence it needs to be surrounded with double-quotes.
The rule cannot contain duplicate statements, however multiple dns rules are allowed in the same ARMR application, and the order of statements inside the dns rule does not matter.
Given (Condition)
| lookup | The lookup takes a single parameter (string literal) where valid values are a quoted-hostname, a quoted-IPv4 address, or the constant any indicating any hostname or IPv4 address. |
lookup("waratek.com")
lookup("127.0.0.1")
lookup(any)
IPv6 addresses are not currently supported. |
Then (Action)
An Action accepts a message as its parameter.
An action may, optionally, specify a severity. The value of severity may be an integer in the range of 0-10(0 is the lowest level and 10 is the highest level) or one of Low, Medium, High or Very-High(case insensitive). The default severity is unknown.
| protect | The DNS lookup is not allowed to proceed.If configured, a log message is generated with details of the event. |
| detect | Monitoring mode: the application behaves as normal, the DNS lookup is allowed to proceed.If configured, a log message is generated detailing that the agent has detected an attempt to carry out a DNS lookup.A log message must be specified with this action. |
| allow | Can be used to allow specific IP addresses/hostnames to be looked up without being blocked by other DNS rule(s). |
As part of the action statement, the user may optionally specify the parameter stacktrace: “full”. When this parameter is specified, the stacktrace of the location of the attempted exploit is included in the security log entry.
Examples
DNS rule with quoted-hostname.
app("DNS lookup mod"):
requires(version: ARMR/2.3)
dns("Blocking address resolution for waratek.com"):
lookup("waratek.com")
protect(message: "dns lookup occurred for waratek.com", severity: 8)
enddns
endapp
DNS rule with quoted-IPv4 address.
app("DNS lookup mod"):
requires(version: ARMR/2.3)
dns("Detecting address resolution for localhost"):
lookup("127.0.0.1")
detect(message: "dns lookup event", severity: 6)
enddns
endapp
DNS rule with the constant any .
app("DNS lookup mod"):
requires(version: ARMR/2.3)
dns("Detecting address resolution for any host/ip"):
lookup(any)
detect(message: "dns lookup event", severity: 4)
enddns
endapp
Logging
A log entry similar to the following is generated when the below dns rules identify a DNS lookup:
<10>1 2021-03-22T12:58:06.136Z userX_system java 17522 - - CEF:0|ARMR:Walter|Walter|2.3|DNS Test App detect|Execute Rule|High|rt=Mar 22 2021 12:58:06.135 +0000 dvchost=jenkins-qa-slave-centos.aws.waratek.lan procid=17522 appVersion=1 act=detect msg=Walter hostname=waratek.com
Further Examples
DNS rule with the stacktrace also logged.
app("DNS lookup mod"):
requires(version: ARMR/2.3)
dns("Detecting address resolution for localhost"):
lookup("any")
protect(message: "dns lookup event", severity: 9, stacktrace: "full")
enddns
endapp
Logging
<10>1 2021-04-01T12:31:39.637+01:00 userX_system java 174476 - - CEF:0|ARMR:Walter|Walter|2.3|DNS Test App protect|Execute Rule|High|rt=Apr 01 2021 12:31:39.636 +0100 dvchost=ckang-XPS-15-9570 procid=174476 appVersion=1 act=protect msg=dns lookup event
stacktrace=walter.apps.DNSLookupApp.main(Container-1)(DNSLookupApp.java:94)\nsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\nsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:498)\njava.lang.Thread.run(Container-1)(Thread.java:876)\njava.lang.Thread.begin(Container-1)(Thread.java:897)\njava.lang.Thread.invokeRun(Container-1)(Thread.java:883)\njava.lang.Thread$ThreadHandler.invokeRun(Container-1)(Thread.java:55) hostname=alto.aws.waratek.lan