diff --git a/cmd/patdown/main.go b/cmd/patdown/main.go index 1611f5c..f6f9c2e 100644 --- a/cmd/patdown/main.go +++ b/cmd/patdown/main.go @@ -2,21 +2,12 @@ package main import ( "flag" - "fmt" - "time" "patdown/common" - - "github.com/miekg/dns" ) type multiflag []string -type Pair struct { - Nameserver string - Domain string -} - func (m *multiflag) String() string { return "irc.supernets.org #superbowl" } @@ -27,125 +18,43 @@ func (m *multiflag) Set(value string) error { } var ( - domain = flag.String("t", "", "") - workers = flag.Int("c", 100, "") - delay = flag.Int("s", 100, "") - nameserver multiflag + domain = flag.String("t", "", "") + workers = flag.Int("c", 100, "") + delay = flag.Int("s", 50, "") + nsarg multiflag ) -func message(domain string, reqtype uint16, ra bool) *dns.Msg { - msg := new(dns.Msg) - msg.Id = dns.Id() - msg.RecursionDesired = ra - msg.Question = make([]dns.Question, 1) - msg.Question[0] = dns.Question{dns.Fqdn(domain), reqtype, dns.ClassINET} - return msg -} - -func query(q <-chan Pair, tracker chan<- interface{}) { - for pair := range q { - msg := message(pair.Domain, dns.TypeA, false) - in, err := dns.Exchange(msg, pair.Nameserver+":53") - if err != nil { - common.Error(err.Error()) - continue - } - - if len(in.Answer) > 0 { - fmt.Printf("[%s] associated domain %s found on %s\n", common.Vendors[common.Domains[pair.Domain]], pair.Domain, pair.Nameserver) - } - time.Sleep(time.Duration(*delay) * time.Millisecond) - } - tracker <- 1337 -} - -func testns(ns string) error { - msg := message("supernets.org", dns.TypeA, false) - _, err := dns.Exchange(msg, ns+":53") - if err != nil { - return err - } - return nil -} - -func testreq() bool { - msg := message("cloudflare.com", dns.TypeA, false) - in, err := dns.Exchange(msg, "1.1.1.1:53") - if err != nil { - return false - } - if len(in.Answer) > 0 { - return true - } - return false -} - func main() { - flag.Var(&nameserver, "n", "nameserver to query") + flag.Var(&nsarg, "n", "") flag.Usage = common.Usage flag.Parse() - var nameservers []string - pairs := make(chan Pair) - tracker := make(chan interface{}) - common.Banner() if *domain != "" { - // query domain for nameservers - nsmsg := message(*domain, dns.TypeNS, true) - in, err := dns.Exchange(nsmsg, "1.1.1.1:53") - if err != nil { - panic(err) - } - - for _, ans := range in.Answer { - ns, ok := ans.(*dns.NS) - if ok { - nameservers = append(nameservers, ns.Ns) - } - } - - } else if len(nameserver) > 0 { - for _, ns := range nameserver { - nameservers = append(nameservers, ns) + common.Info("aggregating nameservers...") + common.PullNS(*domain) + } else if len(nsarg) > 0 { + for _, ns := range nsarg { + common.Nameservers = append(common.Nameservers, ns) } } else { - // print usage common.Usage() return } - if !testreq() { - common.Fatal("non-recursive queries are being refused, are you on a very dirty box or VPN?") - } + common.Verify() - common.Info("aggregating nameservers...") + common.Run(false, *workers, *delay) - for i, ns := range nameservers { - if err := testns(ns); err != nil { - common.Error("nameserver " + ns + " is not responding") - nameservers = append(nameservers[:i], nameservers[i+1:]...) + if !common.Found { + if len(common.Recursive) > 0 { + common.Warning("no associated domains found, attempting recursive snooping...") + common.Run(true, *workers, *delay) } } - common.Info(fmt.Sprintf("snooping caches on %d resolvers...", len(nameservers))) - - go func() { - for i := 0; i < *workers; i++ { - query(pairs, tracker) - } - }() - - for _, ns := range nameservers { - for k, _ := range common.Domains { - pairs <- Pair{Nameserver: ns, Domain: k} - } - } - - close(pairs) - - for x := 0; x < *workers; x++ { - <-tracker + if !common.Found { + common.Error("no associated domains retrieved") } } diff --git a/cmd/patdown/patdown_dec18 b/cmd/patdown/patdown_dec18 new file mode 100755 index 0000000..d67838c Binary files /dev/null and b/cmd/patdown/patdown_dec18 differ diff --git a/cmd/patdown/patdown_dec19 b/cmd/patdown/patdown_dec19 new file mode 100755 index 0000000..7ff2ba8 Binary files /dev/null and b/cmd/patdown/patdown_dec19 differ diff --git a/common/dns.go b/common/dns.go new file mode 100644 index 0000000..85cba0c --- /dev/null +++ b/common/dns.go @@ -0,0 +1,174 @@ +package common + +import ( + "fmt" + "time" + + "github.com/miekg/dns" +) + +type Pair struct { + Nameserver string + Domain string +} + +var ( + Nameservers, Valid, Recursive []string + Found bool +) + +func message(domain string, reqtype uint16, ra bool) *dns.Msg { + msg := new(dns.Msg) + msg.Id = dns.Id() + msg.RecursionDesired = ra + msg.Question = make([]dns.Question, 1) + msg.Question[0] = dns.Question{dns.Fqdn(domain), reqtype, dns.ClassINET} + return msg +} + +func ParseNS(nservers []string) ([]string, []string) { + var valid, recursive []string + msg := message("supernets.org", dns.TypeA, false) + for _, ns := range nservers { + in, err := dns.Exchange(msg, ns+":53") + if err != nil { + Error("nameserver " + ns + " is not responding") + continue + } + if in.Rcode == dns.RcodeRefused { + Warning("nameserver " + ns + " refused the test query, non-recursive snooping may not be viable") + } + if in.RecursionAvailable { + Success("nameserver " + ns + " is recursive") + recursive = append(recursive, ns) + } + valid = append(valid, ns) + } + return valid, recursive +} + +func TestReq() bool { + msg := message("cloudflare.com", dns.TypeA, false) + in, err := dns.Exchange(msg, "1.1.1.1:53") + if err != nil { + return false + } + if len(in.Answer) > 0 { + return true + } + return false +} + +func PullNS(d string) { + nsmsg := message(d, dns.TypeNS, true) + in, err := dns.Exchange(nsmsg, "1.1.1.1:53") + if err != nil { + Fatal("unable to retrieve nameservers for " + d) + } + + for _, ans := range in.Answer { + ns, ok := ans.(*dns.NS) + if ok { + Nameservers = append(Nameservers, ns.Ns) + } + } + +} + +func Verify() { + if !TestReq() { + Error("neutral non-recursive query was refused, are you on a vpn or dirty box?") + } + Success("neutral non-recursive test query succeeded") + + Valid, Recursive = ParseNS(Nameservers) + Info(fmt.Sprintf("%d/%d nameservers are recursive", len(Recursive), len(Valid))) + + if len(Valid) == 0 { + Fatal("no valid nameservers available") + } +} + +func Query(q <-chan Pair, tracker chan<- interface{}, delay int) { + for pair := range q { + msg := message(pair.Domain, dns.TypeA, false) + in, err := dns.Exchange(msg, pair.Nameserver+":53") + if err != nil { + Error(err.Error()) + continue + } + + if len(in.Answer) > 0 { + Found = true + fmt.Printf("[%s] associated domain %s found on %s\n", Vendors[Domains[pair.Domain].Vendor], pair.Domain, pair.Nameserver) + } + time.Sleep(time.Duration(delay) * time.Millisecond) + } + tracker <- 1337 +} + +func QueryRA(q <-chan Pair, tracker chan<- interface{}, delay int) { + for pair := range q { + msg := message(pair.Domain, dns.TypeA, true) + for x := 0; x < 3; x++ { + in, err := dns.Exchange(msg, pair.Nameserver+":53") + if err != nil { + Error("hiccup on " + pair.Nameserver + " retrying...") + time.Sleep(1 * time.Second) + continue + } + + if len(in.Answer) > 0 { + Found = true + if in.Answer[0].Header().Ttl != Domains[pair.Domain].TTL { + fmt.Printf("[%s] associated domain %s found on %s with mismatched TTL of %d\n", Vendors[Domains[pair.Domain].Vendor], pair.Domain, pair.Nameserver, in.Answer[0].Header().Ttl) + } + break + } + } + time.Sleep(time.Duration(delay) * time.Millisecond) + } + tracker <- 1337 +} + +func Run(ra bool, threads, delay int) { + pairs := make(chan Pair) + tracker := make(chan interface{}) + + if !ra { + // non-recursive snoop + Info(fmt.Sprintf("non-recursive snooping on %d resolvers...\n", len(Valid))) + go func() { + for i := 0; i < threads; i++ { + Query(pairs, tracker, delay) + } + }() + + for _, ns := range Valid { + for k, _ := range Domains { + pairs <- Pair{Nameserver: ns, Domain: k} + } + } + + close(pairs) + } else { + Info(fmt.Sprintf("recursively snooping on %d resolvers...\n", len(Recursive))) + go func() { + for i := 0; i < threads; i++ { + QueryRA(pairs, tracker, delay) + } + }() + + for _, ns := range Recursive { + for k, _ := range Domains { + pairs <- Pair{Nameserver: ns, Domain: k} + } + } + + close(pairs) + } + + for x := 0; x < threads; x++ { + <-tracker + } +} diff --git a/common/ref.go b/common/ref.go index 09b2357..595527e 100644 --- a/common/ref.go +++ b/common/ref.go @@ -1,287 +1,296 @@ package common -var Domains = map[string]string{ +type DomInfo struct { + Vendor string + TTL uint32 +} + +var Domains = map[string]DomInfo{ // Microsoft Defender for Endpoint //https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls - "security.microsoft.com": "Microsoft Defender for Endpoint", - "download.microsoft.com": "Microsoft Defender for Endpoint", - "ussus1eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "ussus2eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "ussus3eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "ussus4eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "wsus1eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "wsus2eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "ussus1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "ussus2westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "ussus3westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "ussus4westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "wsus1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "wsus2westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "usseu1northprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "wseu1northprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "usseu1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "wseu1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "ussuk1southprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "wsuk1southprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "ussuk1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "wsuk1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", - "settings-win.data.microsoft.com": "Microsoft Defender for Endpoint", - "vortex-win.data.microsoft.com": "Microsoft Defender for Endpoint", - "go.microsoft.com": "Microsoft Defender for Endpoint", - "ctldl.windowsupdate.com": "Microsoft Defender for Endpoint", - "windowsupdate.com": "Microsoft Defender for Endpoint", + "ussus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "download.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3588}, + "go.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 1228}, + "ussus1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "wsus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "security.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3589}, + "wseu1northprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "wsus2eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "ussus3westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "wsus1eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "wsuk1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "ussus2eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "settings-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 2629}, + "usseu1northprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "wsus1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "usseu1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "ussus1eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "ussuk1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "ctldl.windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 980}, + "ussus4eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "vortex-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 120}, + "wseu1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "ussuk1southprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300}, + "ussus3eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "ussus4westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + "wsuk1southprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, // VMWare Carbon Black // https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls - "carbonblack.com": "VMWare Carbon Black", - "carbonblack.io": "VMWare Carbon Black", - "defense-eap01.conferdeploy.net": "VMWare Carbon Black", - "dashboard.confer.net": "VMWare Carbon Black", - "defense.conferdeploy.net": "VMWare Carbon Black", - "defense-prod05.conferdeploy.net": "VMWare Carbon Black", - "defense-eu.conferdeploy.net": "VMWare Carbon Black", - "defense-prodnrt.conferdeploy.net": "VMWare Carbon Black", - "defense-prodsyd.conferdeploy.net": "VMWare Carbon Black", - "ew2.carbonblackcloud.vmware.com": "VMWare Carbon Black", - "gprd1usgw1.carbonblack-us-gov.vmware.com": "VMWare Carbon Black", - "updates.cdc.carbonblack.io": "VMWare Carbon Black", - "updates2.cdc.carbonblack.io": "VMWare Carbon Black", - "carbonblack.vmware.com": "VMWare Carbon Black", - "console.cloud-us-gov.vmware.com": "VMWare Carbon Black", - "console.cloud.vmware.com": "VMWare Carbon Black", + "defense-prod05.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, + "console.cloud.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, + "updates2.cdc.carbonblack.io": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, + "dashboard.confer.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300}, + "console.cloud-us-gov.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300}, + "ew2.carbonblackcloud.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300}, + "defense.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, + "carbonblack.io": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, + "carbonblack.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 3600}, + "defense-prodnrt.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, + "updates.cdc.carbonblack.io": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, + "gprd1usgw1.carbonblack-us-gov.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 3600}, + "defense-prodsyd.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, + "carbonblack.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300}, + "defense-eap01.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, + "defense-eu.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60}, // CrowdStrike Falcon // https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements - "crowdstrike.com": "CrowdStrike Falcon", - "ts01-b.cloudsink.net": "CrowdStrike Falcon", - "lfodown01-b.cloudsink.net": "CrowdStrike Falcon", - "lfoup01-b.cloudsink.net": "CrowdStrike Falcon", - "falcon.crowdstrike.com": "CrowdStrike Falcon", - "assets.falcon.crowdstrike.com": "CrowdStrike Falcon", - "assets-public.falcon.crowdstrike.com": "CrowdStrike Falcon", - "api.crowdstrike.com": "CrowdStrike Falcon", - "firehose.crowdstrike.com": "CrowdStrike Falcon", - "ts01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon", - "lfodown01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon", - "lfoup01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon", - "falcon.us-2.crowdstrike.com": "CrowdStrike Falcon", - "assets.falcon.us-2.crowdstrike.com": "CrowdStrike Falcon", - "assets-public.us-2.falcon.crowdstrike.com": "CrowdStrike Falcon", - "api.us-2.crowdstrike.com": "CrowdStrike Falcon", - "firehose.us-2.crowdstrike.com": "CrowdStrike Falcon", - "ts01-laggar-gcw.cloudsink.net": "CrowdStrike Falcon", - "sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon", - "lfodown01-laggar-gcw.cloudsink.net": "CrowdStrike Falcon", - "ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon", - "falcon.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon", - "laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon", - "api.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon", - "firehose.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon", - "falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon", - "ts01-us-gov-2.cloudsink.net": "CrowdStrike Falcon", - "lfodown01-us-gov-2.cloudsink.net": "CrowdStrike Falcon", - "api.us-gov-2.crowdstrike.com": "CrowdStrike Falcon", - "firehose.us-gov-2.crowdstrike.com": "CrowdStrike Falcon", - "ts01-lanner-lion.cloudsink.net": "CrowdStrike Falcon", - "lfodown01-lanner-lion.cloudsink.net": "CrowdStrike Falcon", - "lfoup01-lanner-lion.cloudsink.net": "CrowdStrike Falcon", - "assets.falcon.eu-1.crowdstrike.com": "CrowdStrike Falcon", - "assets-public.falcon.eu-1.crowdstrike.com": "CrowdStrike Falcon", - "api.eu-1.crowdstrike.com": "CrowdStrike Falcon", - "firehose.eu-1.crowdstrike.com": "CrowdStrike Falcon", + "falcon.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, + "falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, + "ts01-gyr-maverick.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, + "us-gov-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 900}, + "api.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 300}, + "ts01-b.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, + "firehose.us-gov-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, + "assets.falcon.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, + "api.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, + "lfodown01-b.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, + "assets-public.falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, + "assets.falcon.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, + "api.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, + "assets-public.us-2.falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, + "firehose.laggar.gcw.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, + "ts01-lanner-lion.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, + "lfoup01-lanner-lion.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, + "assets-public.falcon.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, + "crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 300}, + "lfoup01-gyr-maverick.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, + "lfoup01-b.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, + "ts01-laggar-gcw.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, + "falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, + "ts01-us-gov-2.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, + "laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, + "assets.falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, + "lfodown01-lanner-lion.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, + "falcon.laggar.gcw.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, + "firehose.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, + "firehose.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120}, + "lfodown01-laggar-gcw.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, + "api.laggar.gcw.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, + "lfodown01-gyr-maverick.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, + "lfodown01-us-gov-2.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800}, + "sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, + "firehose.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 300}, + "ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60}, // Harmony / CheckPoint // https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116590 - "checkpoint.com": "CheckPoint Harmony", - "us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net": "CheckPoint Harmony", - "europe-west1-datatube-240519.cloudfunctions.net": "CheckPoint Harmony", - "datatube-prod.azurewebsites.net": "CheckPoint Harmony", - "epmgmt.checkpoint.com": "CheckPoint Harmony", - "endpoint-cdn.epmgmt.checkpoint.com": "CheckPoint Harmony", - "ep-repo.epmgmt.checkpoint.com": "CheckPoint Harmony", - "epm-gw-eu.epmgmt.checkpoint.com": "CheckPoint Harmony", - "file-rep.iaas.checkpoint.com": "CheckPoint Harmony", - "url-rep.iaas.checkpoint.com": "CheckPoint Harmony", - "threatcloud.iaas.checkpoint.com": "CheckPoint Harmony", - "te.iaas.checkpoint.com": "CheckPoint Harmony", - "sba-data-collection.iaas.checkpoint.com": "CheckPoint Harmony", - "iaas.checkpoint.com": "CheckPoint Harmony", - "cws.checkpoint.com": "CheckPoint Harmony", - "rep.checkpoint.com": "CheckPoint Harmony", - "te.checkpoint.com": "CheckPoint Harmony", - "threat-emulation.checkpoint.com": "CheckPoint Harmony", - "kav8.checkpoint.com": "CheckPoint Harmony", - "secureupdates.checkpoint.com": "CheckPoint Harmony", - "sc1.checkpoint.com": "CheckPoint Harmony", - "updates.checkpoint.com": "CheckPoint Harmony", - "dl3.checkpoint.com": "CheckPoint Harmony", - "cloudinfra-gw.portal.checkpoint.com": "CheckPoint Harmony", - "gwevents.checkpoint.com": "CheckPoint Harmony", - "teadv.checkpoint.com": "CheckPoint Harmony", - "services.checkpoint.com": "CheckPoint Harmony", + "rep.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, + "threat-emulation.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, + "epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 900}, + "sc1.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, + "gwevents.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 193}, + "gwevents.us.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 193}, + "endpoint-cdn.epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300}, + "checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 32}, + "iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 900}, + "kav8.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, + "cloudinfra-gw.portal.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60}, + "datatube-prod.azurewebsites.net": DomInfo{Vendor: "CheckPoint Harmony", TTL: 30}, + "updates.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, + "ep-repo.epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300}, + "file-rep.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60}, + "threatcloud.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60}, + "dl3.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, + "secureupdates.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, + "epm-gw-eu.epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 86400}, + "url-rep.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60}, + "te.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60}, + "services.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, + "europe-west1-datatube-240519.cloudfunctions.net": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300}, + "cws.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, + "teadv.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, + "us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300}, + "te.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800}, // Cybereason // https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html - "cybereason.com": "Cybereason", - "probe-dist.cybereason.net": "Cybereason", - "data-epgw.cybereason.net": "Cybereason", - "probe-dist-eu-west-1.cybereason.net": "Cybereason", - "data-epgw-eu-west-1.cybereason.net": "Cybereason", - "probe-dist-asia-northeast-1.cybereason.net": "Cybereason", - "data-epgw-asia-northeast-1.cybereason.net": "Cybereason", + "data-epgw-eu-west-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300}, + "probe-dist-asia-northeast-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 60}, + "data-epgw-asia-northeast-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300}, + "probe-dist.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300}, + "probe-dist-eu-west-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300}, + "data-epgw.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300}, + "cybereason.com": DomInfo{Vendor: "Cybereason", TTL: 300}, // FireEye / Trellix // https://kcm.trellix.com/corporate/index?page=content&id=KB90878 - "api.manage.trellix.com": "Trellix", - "uam.api.trellix.com": "Trellix", - "cdn-usw001.manage.trellix.com": "Trellix", - "sw-usw001.manage.trellix.com": "Trellix", - "cdn-usw002.manage.trellix.com": "Trellix", - "sw-usw002.manage.trellix.com": "Trellix", - "cdn-usw003.manage.trellix.com": "Trellix", - "sw-usw003.manage.trellix.com": "Trellix", - "cdn-usw004.manage.trellix.com": "Trellix", - "sw-usw004.manage.trellix.com": "Trellix", - "cdn-sgp001.manage.trellix.com": "Trellix", - "sw-sgp001.manage.trellix.com": "Trellix", - "cdn-eu001.manage.trellix.com": "Trellix", - "sw-eu001.manage.trellix.com": "Trellix", - "cdn-au001.manage.trellix.com": "Trellix", - "sw-au001.manage.trellix.com": "Trellix", - "cdn-ind001.manage.trellix.com": "Trellix", - "sw-ind001.manage.trellix.com": "Trellix", - "cds-usw001.manage.trellix.com": "Trellix", - "cds-usw002.manage.trellix.com": "Trellix", - "cds-usw003.manage.trellix.com": "Trellix", - "cds-usw004.manage.trellix.com": "Trellix", - "dxl-usw001.manage.trellix.com": "Trellix", - "dxl-usw002.manage.trellix.com": "Trellix", - "dxl-usw003.manage.trellix.com": "Trellix", - "dxl-usw004.manage.trellix.com": "Trellix", - "dxlweb-usw001.manage.trellix.com": "Trellix", - "dxlweb-usw002.manage.trellix.com": "Trellix", - "dxlweb-usw003.manage.trellix.com": "Trellix", - "dxlweb-usw004.manage.trellix.com": "Trellix", + "manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 900}, + "cds-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "sw-eu001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "cdn-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "sw-ind001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "cdn-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "cdn-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "auth.ui.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "uam.api.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "cds-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "sw-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "sw-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 300}, + "dxlweb-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "cds-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "cdn-sgp001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "dxlweb-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "cdn-ind001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "dxl-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "sw-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "dxl-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "dxlweb-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "cds-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "cdn-au001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "sw-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "api.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "sw-sgp001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "dxlweb-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "cdn-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "sw-au001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "dxl-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "dxl-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "cdn-eu001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, // Cortex XDR / Palo Alto Networks // https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access - "paloaltonetworks.com": "Palo Alto Networks", - "lrc-us.paloaltonetworks.com": "Palo Alto Networks", - "lrc-eu.paloaltonetworks.com": "Palo Alto Networks", - "lrc-ca.paloaltonetworks.com": "Palo Alto Networks", - "lrc-uk.paloaltonetworks.com": "Palo Alto Networks", - "lrc-jp.paloaltonetworks.com": "Palo Alto Networks", - "lrc-sg.paloaltonetworks.com": "Palo Alto Networks", - "lrc-au.paloaltonetworks.com": "Palo Alto Networks", - "lrc-de.paloaltonetworks.com": "Palo Alto Networks", - "lrc-in.paloaltonetworks.com": "Palo Alto Networks", - "lrc-ch.paloaltonetworks.com": "Palo Alto Networks", - "lrc-pl.paloaltonetworks.com": "Palo Alto Networks", - "lrc-tw.paloaltonetworks.com": "Palo Alto Networks", - "lrc-qt.paloaltonetworks.com": "Palo Alto Networks", - "lrc-fa.paloaltonetworks.com": "Palo Alto Networks", - "panw-xdr-evr-prod-us.storage.googleapis.com": "Palo Alto Networks", - "panw-xdr-evr-prod-eu.storage.googleapis.com": "Palo Alto Networks", - "panw-xdr-evr-prod-ca.storage.googleapis.com": "Palo Alto Networks", - "panw-xdr-evr-prod-uk.storage.googleapis.com": "Palo Alto Networks", - "panw-xdr-evr-prod-jp.storage.googleapis.com": "Palo Alto Networks", - "panw-xdr-evr-prod-sg.storage.googleapis.com": "Palo Alto Networks", - "panw-xdr-evr-prod-au.storage.googleapis.com": "Palo Alto Networks", - "panw-xdr-evr-prod-de.storage.googleapis.com": "Palo Alto Networks", - "panw-xdr-evr-prod-in.storage.googleapis.com": "Palo Alto Networks", - "panw-xdr-evr-prod-ch.storage.googleapis.com": "Palo Alto Networks", - "panw-xdr-evr-prod-pl.storage.googleapis.com": "Palo Alto Networks", - "panw-xdr-evr-prod-tw.storage.googleapis.com": "Palo Alto Networks", - "panw-xdr-evr-prod-qt.storage.googleapis.com": "Palo Alto Networks", - "panw-xdr-evr-prod-fa.storage.googleapis.com": "Palo Alto Networks", - "panw-xdr-installers-prod-us.storage.googleapis.com": "Palo Alto Networks", - "panw-xdr-payloads-prod-us.storage.googleapis.com": "Palo Alto Networks", - "global-content-profiles-policy.storage.googleapis.com": "Palo Alto Networks", - "login.paloaltonetworks.com": "Palo Alto Networks", - "pendo-static-5664029141630976.storage.googleapis.com": "Palo Alto Networks", + "panw-xdr-evr-prod-au.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-eu.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "global-content-profiles-policy.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-uk.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-ch.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "lrc-jp.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "panw-xdr-evr-prod-qt.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-pl.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "pendo-static-5664029141630976.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-sg.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-uk.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "lrc-us.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "lrc-tw.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 1800}, + "panw-xdr-evr-prod-eu.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-ca.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30}, + "lrc-fa.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30}, + "panw-xdr-evr-prod-in.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-fa.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-ca.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-pl.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "lrc-qt.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-de.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-installers-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-ch.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-in.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "panw-xdr-evr-prod-de.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-au.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "panw-xdr-evr-prod-tw.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "login.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "lrc-sg.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "panw-xdr-evr-prod-jp.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-payloads-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, // Singularity / SentinelOne - "sentinelone.com": "SentinelOne", - "xdr.intus1.sentinelone.net": "SentinelOne", - "console.mobile.sentinelone.net": "SentinelOne", - "content.mobile.sentinelone.net": "SentinelOne", - "device-api.mobile.sentinelone.net": "SentinelOne", - "eu1-acceptor.mobile.sentinelone.net": "SentinelOne", - "eu1-console.mobile.sentinelone.net": "SentinelOne", - "eu1-content.mobile.sentinelone.net": "SentinelOne", - "eu1-device-api.mobile.sentinelone.net": "SentinelOne", - "eu1-oauth.mobile.sentinelone.net": "SentinelOne", - "eu1-panel.mobile.sentinelone.net": "SentinelOne", - "eu1-qi.mobile.sentinelone.net": "SentinelOne", - "eu1-token.mobile.sentinelone.net": "SentinelOne", - "eu1-vpc.mobile.sentinelone.net": "SentinelOne", - "ut.sentinelone.net": "SentinelOne", - "oauth.mobile.sentinelone.net": "SentinelOne", - "panel.mobile.sentinelone.net": "SentinelOne", + "eu1-oauth.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "eu1-qi.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "console.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "sentinelone.com": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "eu1-console.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "eu1-content.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "panel.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "oauth.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "xdr.intus1.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 60}, + "eu1-device-api.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "eu1-vpc.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "eu1-acceptor.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "login.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "device-api.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "eu1-panel.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "eu1-token.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "content.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, + "ut.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, // Symantec / Broadcom // https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-7/about-v96380626-d38e6/required-firewall-ports-v97213154-d38e5602.html - "symantec.com": "Symantec", - "remotetunnel1.edrc.symantec.com": "Symantec", - "remotetunnel2.edrc.symantec.com": "Symantec", - "remotetunnel3.edrc.symantec.com": "Symantec", - "remotetunnel4.edrc.symantec.com": "Symantec", - "remotetunnel5.edrc.symantec.com": "Symantec", - "api-gateway.symantec.com": "Symantec", - "liveupdate.symantec.com": "Symantec", - "ratings-wrs.symantec.com": "Symantec", - "stnd-avpg.crsi.symantec.com": "Symantec", - "stnd-ipsg.crsi.symantec.com": "Symantec", - "central.b6.crsi.symantec.com": "Symantec", - "bash-avpg.crsi.symantec.com": "Symantec", - "swupdate.brightmail.com": "Symantec", - "shasta-rrs.symantec.com": "Symantec", - "shasta-mrs.symantec.com": "Symantec", - "datafeedapi.symanteccloud.com": "Symantec", - "telemetry.broadcom.com": "Symantec", - "sso1.edrc.symantec.com": "Symantec", + "remotetunnel5.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600}, + "remotetunnel1.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600}, + "remotetunnel3.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600}, + "bash-avpg.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, + "remotetunnel2.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600}, + "central.b6.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, + "stnd-ipsg.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, + "datafeedapi.symanteccloud.com": DomInfo{Vendor: "Symantec", TTL: 300}, + "stnd-avpg.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, + "shasta-rrs.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, + "remotetunnel4.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600}, + "liveupdate.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3135}, + "sso1.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600}, + "shasta-mrs.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, + "telemetry.broadcom.com": DomInfo{Vendor: "Symantec", TTL: 3600}, + "ratings-wrs.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, + "api-gateway.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, + "swupdate.brightmail.com": DomInfo{Vendor: "Symantec", TTL: 3600}, + "symantec.com": DomInfo{Vendor: "Symantec", TTL: 600}, // Tanium - "tanium.com": "Tanium", - "shared.prd-int-manage.mdm.cloud.tanium.com": "Tanium", - "shared.prd-int.mdm.cloud.tanium.com": "Tanium", - "shared.prd-us-1-manage.mdm.cloud.tanium.com": "Tanium", - "shared.prd-us-1.mdm.cloud.tanium.com": "Tanium", - "prd-int-manage.mdm.cloud.tanium.com": "Tanium", - "prd-int.mdm.cloud.tanium.com": "Tanium", - "prd-us-1-manage.mdm.cloud.tanium.com": "Tanium", - "prd-us-1.mdm.cloud.tanium.com": "Tanium", - "prd.mdm.cloud.tanium.com": "Tanium", - "jp.tanium.com": "Tanium", - "docs-es.tanium.com": "Tanium", - "docs-fr.tanium.com": "Tanium", - "docs-ko.tanium.com": "Tanium", + "docs-es.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300}, + "prd-us-1-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900}, + "docs-ko.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300}, + "tanium.com": DomInfo{Vendor: "Tanium", TTL: 300}, + "prd-int.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900}, + "shared.prd-int.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900}, + "prd.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900}, + "jp.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300}, + "docs-fr.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300}, + "shared.prd-us-1-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900}, + "shared.prd-us-1.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900}, + "prd-int-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900}, + "prd-us-1.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300}, + "shared.prd-int-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300}, // Aurora // https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html - "update-102.nextron-systems.com": "Nextron Aurora", - "update-201.nextron-systems.com": "Nextron Aurora", - "update-202.nextron-systems.com": "Nextron Aurora", - "update-aurora.nextron-systems.com": "Nextron Aurora", - "update-lite.nextron-systems.com": "Nextron Aurora", + "update-aurora.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60}, + "update-102.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60}, + "update-202.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60}, + "update-201.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60}, + "update-lite.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60}, // Trend Micro // https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002 // https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/ - "api.eu.nacloud.trendmicro.com": "Trend Micro", - "api.jp.nacloud.trendmicro.com": "Trend Micro", - "api.sg.nacloud.trendmicro.com": "Trend Micro", - "api.us.nacloud.trendmicro.com": "Trend Micro", - "docs.trendmicro.com": "Trend Micro", - "licenseupdate.trendmicro.com": "Trend Micro", - "api.nacloud.trendmicro.com": "Trend Micro", - "trendmicro.com": "Trend Micro", - "files.trendmicro.com": "Trend Micro", - "xdr.trendmicro.com": "Trend Micro", - "xdr.trendmicro.co.jp": "Trend Micro", - "trenddefense.com": "Trend Micro", - "ddd53-p.activeupdate.trendmicro.com": "Trend Micro", - "ddd53-threatconnect.trendmicro.com": "Trend Micro", - "threatconnect.trendmicro.com": "Trend Micro", - "cloudone.trendmicro.com": "Trend Micro", + "xdr.trendmicro.co.jp": DomInfo{Vendor: "Trend Micro", TTL: 60}, + "files.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800}, + "api.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60}, + "cloudone.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60}, + "ddd53-p.activeupdate.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800}, + "trenddefense.com": DomInfo{Vendor: "Trend Micro", TTL: 300}, + "threatconnect.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800}, + "api.sg.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60}, + "trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800}, + "api.jp.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60}, + "api.eu.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60}, + "docs.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1799}, + "api.us.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60}, + "ddd53-threatconnect.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800}, + "licenseupdate.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800}, + "xdr.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60}, }