overhaul; recursive fallback method, irregularity handling, restructuring, etc

This commit is contained in:
delorean 2023-12-19 17:25:17 -06:00
parent aea4670c9c
commit be54a51064
5 changed files with 451 additions and 359 deletions

View File

@ -2,21 +2,12 @@ package main
import ( import (
"flag" "flag"
"fmt"
"time"
"patdown/common" "patdown/common"
"github.com/miekg/dns"
) )
type multiflag []string type multiflag []string
type Pair struct {
Nameserver string
Domain string
}
func (m *multiflag) String() string { func (m *multiflag) String() string {
return "irc.supernets.org #superbowl" return "irc.supernets.org #superbowl"
} }
@ -29,123 +20,41 @@ func (m *multiflag) Set(value string) error {
var ( var (
domain = flag.String("t", "", "") domain = flag.String("t", "", "")
workers = flag.Int("c", 100, "") workers = flag.Int("c", 100, "")
delay = flag.Int("s", 100, "") delay = flag.Int("s", 50, "")
nameserver multiflag nsarg multiflag
) )
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
msg := new(dns.Msg)
msg.Id = dns.Id()
msg.RecursionDesired = ra
msg.Question = make([]dns.Question, 1)
msg.Question[0] = dns.Question{dns.Fqdn(domain), reqtype, dns.ClassINET}
return msg
}
func query(q <-chan Pair, tracker chan<- interface{}) {
for pair := range q {
msg := message(pair.Domain, dns.TypeA, false)
in, err := dns.Exchange(msg, pair.Nameserver+":53")
if err != nil {
common.Error(err.Error())
continue
}
if len(in.Answer) > 0 {
fmt.Printf("[%s] associated domain %s found on %s\n", common.Vendors[common.Domains[pair.Domain]], pair.Domain, pair.Nameserver)
}
time.Sleep(time.Duration(*delay) * time.Millisecond)
}
tracker <- 1337
}
func testns(ns string) error {
msg := message("supernets.org", dns.TypeA, false)
_, err := dns.Exchange(msg, ns+":53")
if err != nil {
return err
}
return nil
}
func testreq() bool {
msg := message("cloudflare.com", dns.TypeA, false)
in, err := dns.Exchange(msg, "1.1.1.1:53")
if err != nil {
return false
}
if len(in.Answer) > 0 {
return true
}
return false
}
func main() { func main() {
flag.Var(&nameserver, "n", "nameserver to query") flag.Var(&nsarg, "n", "")
flag.Usage = common.Usage flag.Usage = common.Usage
flag.Parse() flag.Parse()
var nameservers []string
pairs := make(chan Pair)
tracker := make(chan interface{})
common.Banner() common.Banner()
if *domain != "" { if *domain != "" {
// query domain for nameservers common.Info("aggregating nameservers...")
nsmsg := message(*domain, dns.TypeNS, true) common.PullNS(*domain)
in, err := dns.Exchange(nsmsg, "1.1.1.1:53") } else if len(nsarg) > 0 {
if err != nil { for _, ns := range nsarg {
panic(err) common.Nameservers = append(common.Nameservers, ns)
}
for _, ans := range in.Answer {
ns, ok := ans.(*dns.NS)
if ok {
nameservers = append(nameservers, ns.Ns)
}
}
} else if len(nameserver) > 0 {
for _, ns := range nameserver {
nameservers = append(nameservers, ns)
} }
} else { } else {
// print usage
common.Usage() common.Usage()
return return
} }
if !testreq() { common.Verify()
common.Fatal("non-recursive queries are being refused, are you on a very dirty box or VPN?")
}
common.Info("aggregating nameservers...") common.Run(false, *workers, *delay)
for i, ns := range nameservers { if !common.Found {
if err := testns(ns); err != nil { if len(common.Recursive) > 0 {
common.Error("nameserver " + ns + " is not responding") common.Warning("no associated domains found, attempting recursive snooping...")
nameservers = append(nameservers[:i], nameservers[i+1:]...) common.Run(true, *workers, *delay)
} }
} }
common.Info(fmt.Sprintf("snooping caches on %d resolvers...", len(nameservers))) if !common.Found {
common.Error("no associated domains retrieved")
go func() {
for i := 0; i < *workers; i++ {
query(pairs, tracker)
}
}()
for _, ns := range nameservers {
for k, _ := range common.Domains {
pairs <- Pair{Nameserver: ns, Domain: k}
}
}
close(pairs)
for x := 0; x < *workers; x++ {
<-tracker
} }
} }

BIN
cmd/patdown/patdown_dec18 Executable file

Binary file not shown.

BIN
cmd/patdown/patdown_dec19 Executable file

Binary file not shown.

174
common/dns.go Normal file
View File

@ -0,0 +1,174 @@
package common
import (
"fmt"
"time"
"github.com/miekg/dns"
)
type Pair struct {
Nameserver string
Domain string
}
var (
Nameservers, Valid, Recursive []string
Found bool
)
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
msg := new(dns.Msg)
msg.Id = dns.Id()
msg.RecursionDesired = ra
msg.Question = make([]dns.Question, 1)
msg.Question[0] = dns.Question{dns.Fqdn(domain), reqtype, dns.ClassINET}
return msg
}
func ParseNS(nservers []string) ([]string, []string) {
var valid, recursive []string
msg := message("supernets.org", dns.TypeA, false)
for _, ns := range nservers {
in, err := dns.Exchange(msg, ns+":53")
if err != nil {
Error("nameserver " + ns + " is not responding")
continue
}
if in.Rcode == dns.RcodeRefused {
Warning("nameserver " + ns + " refused the test query, non-recursive snooping may not be viable")
}
if in.RecursionAvailable {
Success("nameserver " + ns + " is recursive")
recursive = append(recursive, ns)
}
valid = append(valid, ns)
}
return valid, recursive
}
func TestReq() bool {
msg := message("cloudflare.com", dns.TypeA, false)
in, err := dns.Exchange(msg, "1.1.1.1:53")
if err != nil {
return false
}
if len(in.Answer) > 0 {
return true
}
return false
}
func PullNS(d string) {
nsmsg := message(d, dns.TypeNS, true)
in, err := dns.Exchange(nsmsg, "1.1.1.1:53")
if err != nil {
Fatal("unable to retrieve nameservers for " + d)
}
for _, ans := range in.Answer {
ns, ok := ans.(*dns.NS)
if ok {
Nameservers = append(Nameservers, ns.Ns)
}
}
}
func Verify() {
if !TestReq() {
Error("neutral non-recursive query was refused, are you on a vpn or dirty box?")
}
Success("neutral non-recursive test query succeeded")
Valid, Recursive = ParseNS(Nameservers)
Info(fmt.Sprintf("%d/%d nameservers are recursive", len(Recursive), len(Valid)))
if len(Valid) == 0 {
Fatal("no valid nameservers available")
}
}
func Query(q <-chan Pair, tracker chan<- interface{}, delay int) {
for pair := range q {
msg := message(pair.Domain, dns.TypeA, false)
in, err := dns.Exchange(msg, pair.Nameserver+":53")
if err != nil {
Error(err.Error())
continue
}
if len(in.Answer) > 0 {
Found = true
fmt.Printf("[%s] associated domain %s found on %s\n", Vendors[Domains[pair.Domain].Vendor], pair.Domain, pair.Nameserver)
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}
func QueryRA(q <-chan Pair, tracker chan<- interface{}, delay int) {
for pair := range q {
msg := message(pair.Domain, dns.TypeA, true)
for x := 0; x < 3; x++ {
in, err := dns.Exchange(msg, pair.Nameserver+":53")
if err != nil {
Error("hiccup on " + pair.Nameserver + " retrying...")
time.Sleep(1 * time.Second)
continue
}
if len(in.Answer) > 0 {
Found = true
if in.Answer[0].Header().Ttl != Domains[pair.Domain].TTL {
fmt.Printf("[%s] associated domain %s found on %s with mismatched TTL of %d\n", Vendors[Domains[pair.Domain].Vendor], pair.Domain, pair.Nameserver, in.Answer[0].Header().Ttl)
}
break
}
}
time.Sleep(time.Duration(delay) * time.Millisecond)
}
tracker <- 1337
}
func Run(ra bool, threads, delay int) {
pairs := make(chan Pair)
tracker := make(chan interface{})
if !ra {
// non-recursive snoop
Info(fmt.Sprintf("non-recursive snooping on %d resolvers...\n", len(Valid)))
go func() {
for i := 0; i < threads; i++ {
Query(pairs, tracker, delay)
}
}()
for _, ns := range Valid {
for k, _ := range Domains {
pairs <- Pair{Nameserver: ns, Domain: k}
}
}
close(pairs)
} else {
Info(fmt.Sprintf("recursively snooping on %d resolvers...\n", len(Recursive)))
go func() {
for i := 0; i < threads; i++ {
QueryRA(pairs, tracker, delay)
}
}()
for _, ns := range Recursive {
for k, _ := range Domains {
pairs <- Pair{Nameserver: ns, Domain: k}
}
}
close(pairs)
}
for x := 0; x < threads; x++ {
<-tracker
}
}

View File

@ -1,287 +1,296 @@
package common package common
var Domains = map[string]string{ type DomInfo struct {
Vendor string
TTL uint32
}
var Domains = map[string]DomInfo{
// Microsoft Defender for Endpoint // Microsoft Defender for Endpoint
//https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls //https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls
"security.microsoft.com": "Microsoft Defender for Endpoint", "ussus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"download.microsoft.com": "Microsoft Defender for Endpoint", "download.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3588},
"ussus1eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "go.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 1228},
"ussus2eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "ussus1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussus3eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "wsus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussus4eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "security.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3589},
"wsus1eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "wseu1northprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wsus2eastprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "wsus2eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussus1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "ussus3westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussus2westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "wsus1eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussus3westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "wsuk1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussus4westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "ussus2eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wsus1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "settings-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 2629},
"wsus2westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "usseu1northprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"usseu1northprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "wsus1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wseu1northprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "usseu1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"usseu1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "ussus1eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wseu1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "ussuk1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussuk1southprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "ctldl.windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 980},
"wsuk1southprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "ussus4eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussuk1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "vortex-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 120},
"wsuk1westprod.blob.core.windows.net": "Microsoft Defender for Endpoint", "wseu1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"settings-win.data.microsoft.com": "Microsoft Defender for Endpoint", "ussuk1southprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"vortex-win.data.microsoft.com": "Microsoft Defender for Endpoint", "windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300},
"go.microsoft.com": "Microsoft Defender for Endpoint", "ussus3eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ctldl.windowsupdate.com": "Microsoft Defender for Endpoint", "ussus4westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"windowsupdate.com": "Microsoft Defender for Endpoint", "wsuk1southprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
// VMWare Carbon Black // VMWare Carbon Black
// https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls // https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls
"carbonblack.com": "VMWare Carbon Black", "defense-prod05.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"carbonblack.io": "VMWare Carbon Black", "console.cloud.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"defense-eap01.conferdeploy.net": "VMWare Carbon Black", "updates2.cdc.carbonblack.io": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"dashboard.confer.net": "VMWare Carbon Black", "dashboard.confer.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300},
"defense.conferdeploy.net": "VMWare Carbon Black", "console.cloud-us-gov.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300},
"defense-prod05.conferdeploy.net": "VMWare Carbon Black", "ew2.carbonblackcloud.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300},
"defense-eu.conferdeploy.net": "VMWare Carbon Black", "defense.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"defense-prodnrt.conferdeploy.net": "VMWare Carbon Black", "carbonblack.io": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"defense-prodsyd.conferdeploy.net": "VMWare Carbon Black", "carbonblack.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 3600},
"ew2.carbonblackcloud.vmware.com": "VMWare Carbon Black", "defense-prodnrt.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"gprd1usgw1.carbonblack-us-gov.vmware.com": "VMWare Carbon Black", "updates.cdc.carbonblack.io": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"updates.cdc.carbonblack.io": "VMWare Carbon Black", "gprd1usgw1.carbonblack-us-gov.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 3600},
"updates2.cdc.carbonblack.io": "VMWare Carbon Black", "defense-prodsyd.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"carbonblack.vmware.com": "VMWare Carbon Black", "carbonblack.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300},
"console.cloud-us-gov.vmware.com": "VMWare Carbon Black", "defense-eap01.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
"console.cloud.vmware.com": "VMWare Carbon Black", "defense-eu.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
// CrowdStrike Falcon // CrowdStrike Falcon
// https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements // https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements
"crowdstrike.com": "CrowdStrike Falcon", "falcon.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"ts01-b.cloudsink.net": "CrowdStrike Falcon", "falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"lfodown01-b.cloudsink.net": "CrowdStrike Falcon", "ts01-gyr-maverick.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"lfoup01-b.cloudsink.net": "CrowdStrike Falcon", "us-gov-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 900},
"falcon.crowdstrike.com": "CrowdStrike Falcon", "api.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 300},
"assets.falcon.crowdstrike.com": "CrowdStrike Falcon", "ts01-b.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"assets-public.falcon.crowdstrike.com": "CrowdStrike Falcon", "firehose.us-gov-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"api.crowdstrike.com": "CrowdStrike Falcon", "assets.falcon.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"firehose.crowdstrike.com": "CrowdStrike Falcon", "api.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"ts01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon", "lfodown01-b.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"lfodown01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon", "assets-public.falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"lfoup01-gyr-maverick.cloudsink.net": "CrowdStrike Falcon", "assets.falcon.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"falcon.us-2.crowdstrike.com": "CrowdStrike Falcon", "api.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"assets.falcon.us-2.crowdstrike.com": "CrowdStrike Falcon", "assets-public.us-2.falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"assets-public.us-2.falcon.crowdstrike.com": "CrowdStrike Falcon", "firehose.laggar.gcw.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"api.us-2.crowdstrike.com": "CrowdStrike Falcon", "ts01-lanner-lion.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"firehose.us-2.crowdstrike.com": "CrowdStrike Falcon", "lfoup01-lanner-lion.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"ts01-laggar-gcw.cloudsink.net": "CrowdStrike Falcon", "assets-public.falcon.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon", "crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 300},
"lfodown01-laggar-gcw.cloudsink.net": "CrowdStrike Falcon", "lfoup01-gyr-maverick.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon", "lfoup01-b.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"falcon.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon", "ts01-laggar-gcw.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon", "falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"api.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon", "ts01-us-gov-2.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"firehose.laggar.gcw.crowdstrike.com": "CrowdStrike Falcon", "laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com": "CrowdStrike Falcon", "assets.falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"ts01-us-gov-2.cloudsink.net": "CrowdStrike Falcon", "lfodown01-lanner-lion.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"lfodown01-us-gov-2.cloudsink.net": "CrowdStrike Falcon", "falcon.laggar.gcw.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"api.us-gov-2.crowdstrike.com": "CrowdStrike Falcon", "firehose.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"firehose.us-gov-2.crowdstrike.com": "CrowdStrike Falcon", "firehose.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
"ts01-lanner-lion.cloudsink.net": "CrowdStrike Falcon", "lfodown01-laggar-gcw.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"lfodown01-lanner-lion.cloudsink.net": "CrowdStrike Falcon", "api.laggar.gcw.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"lfoup01-lanner-lion.cloudsink.net": "CrowdStrike Falcon", "lfodown01-gyr-maverick.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"assets.falcon.eu-1.crowdstrike.com": "CrowdStrike Falcon", "lfodown01-us-gov-2.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
"assets-public.falcon.eu-1.crowdstrike.com": "CrowdStrike Falcon", "sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
"api.eu-1.crowdstrike.com": "CrowdStrike Falcon", "firehose.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 300},
"firehose.eu-1.crowdstrike.com": "CrowdStrike Falcon", "ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
// Harmony / CheckPoint // Harmony / CheckPoint
// https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116590 // https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116590
"checkpoint.com": "CheckPoint Harmony", "rep.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net": "CheckPoint Harmony", "threat-emulation.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"europe-west1-datatube-240519.cloudfunctions.net": "CheckPoint Harmony", "epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 900},
"datatube-prod.azurewebsites.net": "CheckPoint Harmony", "sc1.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"epmgmt.checkpoint.com": "CheckPoint Harmony", "gwevents.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 193},
"endpoint-cdn.epmgmt.checkpoint.com": "CheckPoint Harmony", "gwevents.us.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 193},
"ep-repo.epmgmt.checkpoint.com": "CheckPoint Harmony", "endpoint-cdn.epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300},
"epm-gw-eu.epmgmt.checkpoint.com": "CheckPoint Harmony", "checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 32},
"file-rep.iaas.checkpoint.com": "CheckPoint Harmony", "iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 900},
"url-rep.iaas.checkpoint.com": "CheckPoint Harmony", "kav8.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"threatcloud.iaas.checkpoint.com": "CheckPoint Harmony", "cloudinfra-gw.portal.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60},
"te.iaas.checkpoint.com": "CheckPoint Harmony", "datatube-prod.azurewebsites.net": DomInfo{Vendor: "CheckPoint Harmony", TTL: 30},
"sba-data-collection.iaas.checkpoint.com": "CheckPoint Harmony", "updates.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"iaas.checkpoint.com": "CheckPoint Harmony", "ep-repo.epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300},
"cws.checkpoint.com": "CheckPoint Harmony", "file-rep.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60},
"rep.checkpoint.com": "CheckPoint Harmony", "threatcloud.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60},
"te.checkpoint.com": "CheckPoint Harmony", "dl3.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"threat-emulation.checkpoint.com": "CheckPoint Harmony", "secureupdates.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"kav8.checkpoint.com": "CheckPoint Harmony", "epm-gw-eu.epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 86400},
"secureupdates.checkpoint.com": "CheckPoint Harmony", "url-rep.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60},
"sc1.checkpoint.com": "CheckPoint Harmony", "te.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60},
"updates.checkpoint.com": "CheckPoint Harmony", "services.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"dl3.checkpoint.com": "CheckPoint Harmony", "europe-west1-datatube-240519.cloudfunctions.net": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300},
"cloudinfra-gw.portal.checkpoint.com": "CheckPoint Harmony", "cws.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"gwevents.checkpoint.com": "CheckPoint Harmony", "teadv.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
"teadv.checkpoint.com": "CheckPoint Harmony", "us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300},
"services.checkpoint.com": "CheckPoint Harmony", "te.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
// Cybereason // Cybereason
// https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html // https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html
"cybereason.com": "Cybereason", "data-epgw-eu-west-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
"probe-dist.cybereason.net": "Cybereason", "probe-dist-asia-northeast-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 60},
"data-epgw.cybereason.net": "Cybereason", "data-epgw-asia-northeast-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
"probe-dist-eu-west-1.cybereason.net": "Cybereason", "probe-dist.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
"data-epgw-eu-west-1.cybereason.net": "Cybereason", "probe-dist-eu-west-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
"probe-dist-asia-northeast-1.cybereason.net": "Cybereason", "data-epgw.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
"data-epgw-asia-northeast-1.cybereason.net": "Cybereason", "cybereason.com": DomInfo{Vendor: "Cybereason", TTL: 300},
// FireEye / Trellix // FireEye / Trellix
// https://kcm.trellix.com/corporate/index?page=content&id=KB90878 // https://kcm.trellix.com/corporate/index?page=content&id=KB90878
"api.manage.trellix.com": "Trellix", "manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 900},
"uam.api.trellix.com": "Trellix", "cds-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-usw001.manage.trellix.com": "Trellix", "sw-eu001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-usw001.manage.trellix.com": "Trellix", "cdn-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-usw002.manage.trellix.com": "Trellix", "sw-ind001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-usw002.manage.trellix.com": "Trellix", "cdn-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-usw003.manage.trellix.com": "Trellix", "cdn-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-usw003.manage.trellix.com": "Trellix", "auth.ui.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-usw004.manage.trellix.com": "Trellix", "uam.api.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-usw004.manage.trellix.com": "Trellix", "cds-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-sgp001.manage.trellix.com": "Trellix", "trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-sgp001.manage.trellix.com": "Trellix", "sw-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-eu001.manage.trellix.com": "Trellix", "sw-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 300},
"sw-eu001.manage.trellix.com": "Trellix", "dxlweb-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-au001.manage.trellix.com": "Trellix", "cds-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-au001.manage.trellix.com": "Trellix", "cdn-sgp001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-ind001.manage.trellix.com": "Trellix", "dxlweb-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-ind001.manage.trellix.com": "Trellix", "cdn-ind001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cds-usw001.manage.trellix.com": "Trellix", "dxl-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cds-usw002.manage.trellix.com": "Trellix", "sw-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cds-usw003.manage.trellix.com": "Trellix", "dxl-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cds-usw004.manage.trellix.com": "Trellix", "dxlweb-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxl-usw001.manage.trellix.com": "Trellix", "cds-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxl-usw002.manage.trellix.com": "Trellix", "cdn-au001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxl-usw003.manage.trellix.com": "Trellix", "sw-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxl-usw004.manage.trellix.com": "Trellix", "api.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxlweb-usw001.manage.trellix.com": "Trellix", "sw-sgp001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxlweb-usw002.manage.trellix.com": "Trellix", "dxlweb-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxlweb-usw003.manage.trellix.com": "Trellix", "cdn-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxlweb-usw004.manage.trellix.com": "Trellix", "sw-au001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxl-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxl-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-eu001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
// Cortex XDR / Palo Alto Networks // Cortex XDR / Palo Alto Networks
// https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access // https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access
"paloaltonetworks.com": "Palo Alto Networks", "panw-xdr-evr-prod-au.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-us.paloaltonetworks.com": "Palo Alto Networks", "lrc-eu.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"lrc-eu.paloaltonetworks.com": "Palo Alto Networks", "global-content-profiles-policy.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-ca.paloaltonetworks.com": "Palo Alto Networks", "panw-xdr-evr-prod-uk.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-uk.paloaltonetworks.com": "Palo Alto Networks", "lrc-ch.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"lrc-jp.paloaltonetworks.com": "Palo Alto Networks", "lrc-jp.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"lrc-sg.paloaltonetworks.com": "Palo Alto Networks", "panw-xdr-evr-prod-qt.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-au.paloaltonetworks.com": "Palo Alto Networks", "panw-xdr-evr-prod-pl.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-de.paloaltonetworks.com": "Palo Alto Networks", "pendo-static-5664029141630976.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-in.paloaltonetworks.com": "Palo Alto Networks", "panw-xdr-evr-prod-sg.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-ch.paloaltonetworks.com": "Palo Alto Networks", "lrc-uk.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"lrc-pl.paloaltonetworks.com": "Palo Alto Networks", "lrc-us.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"lrc-tw.paloaltonetworks.com": "Palo Alto Networks", "lrc-tw.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 1800},
"lrc-qt.paloaltonetworks.com": "Palo Alto Networks", "panw-xdr-evr-prod-eu.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"lrc-fa.paloaltonetworks.com": "Palo Alto Networks", "lrc-ca.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"panw-xdr-evr-prod-us.storage.googleapis.com": "Palo Alto Networks", "paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30},
"panw-xdr-evr-prod-eu.storage.googleapis.com": "Palo Alto Networks", "lrc-fa.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30},
"panw-xdr-evr-prod-ca.storage.googleapis.com": "Palo Alto Networks", "panw-xdr-evr-prod-in.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-uk.storage.googleapis.com": "Palo Alto Networks", "panw-xdr-evr-prod-fa.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-jp.storage.googleapis.com": "Palo Alto Networks", "panw-xdr-evr-prod-ca.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-sg.storage.googleapis.com": "Palo Alto Networks", "lrc-pl.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"panw-xdr-evr-prod-au.storage.googleapis.com": "Palo Alto Networks", "lrc-qt.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-de.storage.googleapis.com": "Palo Alto Networks", "panw-xdr-evr-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-in.storage.googleapis.com": "Palo Alto Networks", "lrc-de.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-ch.storage.googleapis.com": "Palo Alto Networks", "panw-xdr-installers-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-pl.storage.googleapis.com": "Palo Alto Networks", "panw-xdr-evr-prod-ch.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-tw.storage.googleapis.com": "Palo Alto Networks", "lrc-in.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"panw-xdr-evr-prod-qt.storage.googleapis.com": "Palo Alto Networks", "panw-xdr-evr-prod-de.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-fa.storage.googleapis.com": "Palo Alto Networks", "lrc-au.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"panw-xdr-installers-prod-us.storage.googleapis.com": "Palo Alto Networks", "panw-xdr-evr-prod-tw.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-payloads-prod-us.storage.googleapis.com": "Palo Alto Networks", "login.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"global-content-profiles-policy.storage.googleapis.com": "Palo Alto Networks", "lrc-sg.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"login.paloaltonetworks.com": "Palo Alto Networks", "panw-xdr-evr-prod-jp.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"pendo-static-5664029141630976.storage.googleapis.com": "Palo Alto Networks", "panw-xdr-payloads-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
// Singularity / SentinelOne // Singularity / SentinelOne
"sentinelone.com": "SentinelOne", "eu1-oauth.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"xdr.intus1.sentinelone.net": "SentinelOne", "eu1-qi.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"console.mobile.sentinelone.net": "SentinelOne", "console.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"content.mobile.sentinelone.net": "SentinelOne", "sentinelone.com": DomInfo{Vendor: "SentinelOne", TTL: 300},
"device-api.mobile.sentinelone.net": "SentinelOne", "eu1-console.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"eu1-acceptor.mobile.sentinelone.net": "SentinelOne", "eu1-content.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"eu1-console.mobile.sentinelone.net": "SentinelOne", "panel.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"eu1-content.mobile.sentinelone.net": "SentinelOne", "oauth.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"eu1-device-api.mobile.sentinelone.net": "SentinelOne", "xdr.intus1.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 60},
"eu1-oauth.mobile.sentinelone.net": "SentinelOne", "eu1-device-api.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"eu1-panel.mobile.sentinelone.net": "SentinelOne", "eu1-vpc.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"eu1-qi.mobile.sentinelone.net": "SentinelOne", "eu1-acceptor.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"eu1-token.mobile.sentinelone.net": "SentinelOne", "login.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"eu1-vpc.mobile.sentinelone.net": "SentinelOne", "device-api.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"ut.sentinelone.net": "SentinelOne", "eu1-panel.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"oauth.mobile.sentinelone.net": "SentinelOne", "eu1-token.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"panel.mobile.sentinelone.net": "SentinelOne", "content.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
"ut.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
// Symantec / Broadcom // Symantec / Broadcom
// https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-7/about-v96380626-d38e6/required-firewall-ports-v97213154-d38e5602.html // https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-7/about-v96380626-d38e6/required-firewall-ports-v97213154-d38e5602.html
"symantec.com": "Symantec", "remotetunnel5.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
"remotetunnel1.edrc.symantec.com": "Symantec", "remotetunnel1.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
"remotetunnel2.edrc.symantec.com": "Symantec", "remotetunnel3.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
"remotetunnel3.edrc.symantec.com": "Symantec", "bash-avpg.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"remotetunnel4.edrc.symantec.com": "Symantec", "remotetunnel2.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
"remotetunnel5.edrc.symantec.com": "Symantec", "central.b6.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"api-gateway.symantec.com": "Symantec", "stnd-ipsg.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"liveupdate.symantec.com": "Symantec", "datafeedapi.symanteccloud.com": DomInfo{Vendor: "Symantec", TTL: 300},
"ratings-wrs.symantec.com": "Symantec", "stnd-avpg.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"stnd-avpg.crsi.symantec.com": "Symantec", "shasta-rrs.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"stnd-ipsg.crsi.symantec.com": "Symantec", "remotetunnel4.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
"central.b6.crsi.symantec.com": "Symantec", "liveupdate.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3135},
"bash-avpg.crsi.symantec.com": "Symantec", "sso1.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
"swupdate.brightmail.com": "Symantec", "shasta-mrs.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"shasta-rrs.symantec.com": "Symantec", "telemetry.broadcom.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"shasta-mrs.symantec.com": "Symantec", "ratings-wrs.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"datafeedapi.symanteccloud.com": "Symantec", "api-gateway.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"telemetry.broadcom.com": "Symantec", "swupdate.brightmail.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"sso1.edrc.symantec.com": "Symantec", "symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
// Tanium // Tanium
"tanium.com": "Tanium", "docs-es.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
"shared.prd-int-manage.mdm.cloud.tanium.com": "Tanium", "prd-us-1-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
"shared.prd-int.mdm.cloud.tanium.com": "Tanium", "docs-ko.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
"shared.prd-us-1-manage.mdm.cloud.tanium.com": "Tanium", "tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
"shared.prd-us-1.mdm.cloud.tanium.com": "Tanium", "prd-int.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
"prd-int-manage.mdm.cloud.tanium.com": "Tanium", "shared.prd-int.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
"prd-int.mdm.cloud.tanium.com": "Tanium", "prd.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
"prd-us-1-manage.mdm.cloud.tanium.com": "Tanium", "jp.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
"prd-us-1.mdm.cloud.tanium.com": "Tanium", "docs-fr.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
"prd.mdm.cloud.tanium.com": "Tanium", "shared.prd-us-1-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
"jp.tanium.com": "Tanium", "shared.prd-us-1.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
"docs-es.tanium.com": "Tanium", "prd-int-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
"docs-fr.tanium.com": "Tanium", "prd-us-1.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
"docs-ko.tanium.com": "Tanium", "shared.prd-int-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
// Aurora // Aurora
// https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html // https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html
"update-102.nextron-systems.com": "Nextron Aurora", "update-aurora.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
"update-201.nextron-systems.com": "Nextron Aurora", "update-102.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
"update-202.nextron-systems.com": "Nextron Aurora", "update-202.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
"update-aurora.nextron-systems.com": "Nextron Aurora", "update-201.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
"update-lite.nextron-systems.com": "Nextron Aurora", "update-lite.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
// Trend Micro // Trend Micro
// https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002 // https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002
// https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/ // https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/
"api.eu.nacloud.trendmicro.com": "Trend Micro", "xdr.trendmicro.co.jp": DomInfo{Vendor: "Trend Micro", TTL: 60},
"api.jp.nacloud.trendmicro.com": "Trend Micro", "files.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
"api.sg.nacloud.trendmicro.com": "Trend Micro", "api.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
"api.us.nacloud.trendmicro.com": "Trend Micro", "cloudone.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
"docs.trendmicro.com": "Trend Micro", "ddd53-p.activeupdate.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
"licenseupdate.trendmicro.com": "Trend Micro", "trenddefense.com": DomInfo{Vendor: "Trend Micro", TTL: 300},
"api.nacloud.trendmicro.com": "Trend Micro", "threatconnect.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
"trendmicro.com": "Trend Micro", "api.sg.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
"files.trendmicro.com": "Trend Micro", "trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
"xdr.trendmicro.com": "Trend Micro", "api.jp.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
"xdr.trendmicro.co.jp": "Trend Micro", "api.eu.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
"trenddefense.com": "Trend Micro", "docs.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1799},
"ddd53-p.activeupdate.trendmicro.com": "Trend Micro", "api.us.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
"ddd53-threatconnect.trendmicro.com": "Trend Micro", "ddd53-threatconnect.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
"threatconnect.trendmicro.com": "Trend Micro", "licenseupdate.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
"cloudone.trendmicro.com": "Trend Micro", "xdr.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
} }