Compare commits
6 Commits
Author | SHA1 | Date | |
---|---|---|---|
262f1fefac | |||
35a6bfe75d | |||
bfd20e8d28 | |||
110948b745 | |||
731edcac65 | |||
d5dce5b996 |
63
README.md
63
README.md
@ -1,42 +1,63 @@
|
||||
# patdown
|
||||
|
||||
> EDR/XDR (Endpoint Detection & Response) fingerprinting utility useful for predicting defense mechanisms in use on remote systems.
|
||||
|
||||
> Remotely predicts and identifies the presence of EDR/XDR solutions on networks
|
||||
|
||||
<p align="center">
|
||||
<img src="https://i.imgur.com/AlQ7N07.png" width="500" title="hover text">
|
||||
</p>
|
||||
|
||||
## Abstract
|
||||
Patdown probes a network's DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions.
|
||||
patdown is an EDR/XDR fingerprinting utility used for remotely predicting defense mechanisms in use on a network.
|
||||
|
||||
**Example**: if a network's resolver has `assets-public.falcon.crowdstrike.com` in its cache, chances are the '*CrowdStrike Falcon*' EDR solution is present somewhere on the network.
|
||||
This allows you to forecast the security posture of a network during the earliest stages of access, or even prior to any access at all.
|
||||
|
||||
These DNS servers can be specified as arguments (the preferred way), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the `-t` flag.
|
||||
Fingerprinting is achieved via the probing of DNS servers to determine whether they have resolved domains associated with various EDR/XDR solutions.
|
||||
|
||||
⚠️ Authoritative nameservers are rarely used as egress recursive resolvers for networks and are not as efficacious for fingerprinting for EDR/XDR.
|
||||
**Example**: if a network's resolver has `assets-public.falcon.crowdstrike.com` cached, chances are the *CrowdStrike Falcon* EDR solution is present on the network.
|
||||
|
||||
These DNS servers can be specified as arguments (most effective), or patdown can automatically retrieve and analyze the authoritative nameservers of a target with the `-d` flag.
|
||||
|
||||
> ⚠️ Authoritative nameservers are rarely used as egress resolvers for networks and are not as reliable for fingerprinting EDR/XDR, making them prone to false positives.
|
||||
|
||||
## Installation
|
||||
Retrieve a binary corresponding to your architecture from **Releases**
|
||||
|
||||
*or*
|
||||
|
||||
`git clone https://git.supernets.org/delorean/patdown.git && cd patdown/cmd/patdown && go build -o patdown main.go && ./patdown`
|
||||
`git clone https://github.com/speedboat/patdown.git ; cd patdown/cmd/patdown ; go build -o patdown main.go ; ./patdown -h`
|
||||
|
||||
## Usage
|
||||
**Help**
|
||||
```
|
||||
d | target fqdn (not as reliable, prone to false positives)
|
||||
n | nameserver to query (can be specified multiple times)
|
||||
v | enable verbosity [false]
|
||||
t | threads [5]
|
||||
s | delay between requests in milliseconds, per thread [250]
|
||||
|
||||
`patdown -h`
|
||||
e.g.
|
||||
patdown -d target.network
|
||||
patdown -n egress.ns.target.network -n another.egress.ns.target.network
|
||||
patdown -n dc.target.network -v -t 25
|
||||
```
|
||||
|
||||
|
||||
**Target specific resolvers**
|
||||
|
||||
`patdown -n ns1.target.resolver -n ns2.another.target.resolver`
|
||||
|
||||
|
||||
**Automatically snoop authoritative nameservers**
|
||||
|
||||
`patdown -t supernets.org`
|
||||
|
||||
- - - -
|
||||
this is for christian purposes
|
||||
## Currently Identified Vendors/Solutions:
|
||||
- [x] **CrowdStrike** Falcon
|
||||
- [x] **Microsoft** Defender for Endpoint
|
||||
- [x] **VMWare** Carbon Black
|
||||
- [x] **Check Point** Harmony
|
||||
- [x] **Cybereason** EDR
|
||||
- [x] **Trellix** EDR
|
||||
- [x] **Palo Alto Networks** Cortex XDR
|
||||
- [x] **SentinelOne** Singularity
|
||||
- [x] **Symantec** Endpoint Security
|
||||
- [x] **Tanium** EDR
|
||||
- [x] **Nextron** Aurora
|
||||
- [x] **Trend Micro** Endpoint Sensor
|
||||
- [x] **Rapid7** InsightIDR
|
||||
- [ ] **ESET** Inspect
|
||||
- [ ] **Harfanglab** EDR
|
||||
- [ ] **Limacharlie** EDR
|
||||
- [ ] **Elastic** Security
|
||||
- [ ] **Qualys** EDR
|
||||
- [ ] **Uptycs** XDR
|
||||
- [ ] **WatchGuard** EDR
|
||||
|
@ -1,60 +1,36 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"flag"
|
||||
|
||||
"fmt"
|
||||
"patdown/common"
|
||||
)
|
||||
|
||||
type multiflag []string
|
||||
|
||||
func (m *multiflag) String() string {
|
||||
return "irc.supernets.org #superbowl"
|
||||
}
|
||||
|
||||
func (m *multiflag) Set(value string) error {
|
||||
*m = append(*m, value)
|
||||
return nil
|
||||
}
|
||||
|
||||
var (
|
||||
domain = flag.String("t", "", "")
|
||||
workers = flag.Int("c", 100, "")
|
||||
delay = flag.Int("s", 50, "")
|
||||
nsarg multiflag
|
||||
)
|
||||
|
||||
func main() {
|
||||
flag.Var(&nsarg, "n", "")
|
||||
flag.Usage = common.Usage
|
||||
flag.Parse()
|
||||
common.LoadArgs()
|
||||
var servers []string
|
||||
|
||||
common.Banner()
|
||||
|
||||
if *domain != "" {
|
||||
common.Info("aggregating nameservers...")
|
||||
common.PullNS(*domain)
|
||||
} else if len(nsarg) > 0 {
|
||||
for _, ns := range nsarg {
|
||||
common.Nameservers = append(common.Nameservers, ns)
|
||||
autodetect := common.Params.Domain != ""
|
||||
if autodetect {
|
||||
if servers = common.PullNS(common.Params.Domain); len(servers) == 0 {
|
||||
common.Fatal("no nameservers found for " + common.Params.Domain)
|
||||
}
|
||||
common.Info(fmt.Sprintf("retrieved %s%d%s nameservers for %s", common.ColorGreen, len(servers), common.ColorReset, common.Params.Domain))
|
||||
} else if len(common.Params.Nservers) > 0 {
|
||||
servers = common.Params.Nservers
|
||||
} else {
|
||||
common.Usage()
|
||||
return
|
||||
common.Fatal("provide a domain or nameservers to target")
|
||||
}
|
||||
|
||||
common.Verify()
|
||||
|
||||
common.Run(false, *workers, *delay)
|
||||
|
||||
if !common.Found {
|
||||
if len(common.Recursive) > 0 {
|
||||
common.Warning("no associated domains found, attempting recursive snooping...")
|
||||
common.Run(true, *workers, *delay)
|
||||
}
|
||||
if !common.NeutralReq() {
|
||||
common.Fatal("neutral dns check failed, are you on a dirty box or vpn?")
|
||||
}
|
||||
|
||||
if !common.Found {
|
||||
common.Error("no associated domains retrieved")
|
||||
valid := common.ParseNS(servers)
|
||||
if len(valid) == 0 {
|
||||
common.Fatal("no servers responded to trial probes, they're either down or they don't like your IP")
|
||||
}
|
||||
|
||||
common.Takeoff(valid)
|
||||
}
|
||||
|
39
common/args.go
Normal file
39
common/args.go
Normal file
@ -0,0 +1,39 @@
|
||||
package common
|
||||
|
||||
import "flag"
|
||||
|
||||
type multiflag []string
|
||||
|
||||
type Config struct {
|
||||
Domain string
|
||||
Threads int
|
||||
Delay int
|
||||
Nservers []string
|
||||
Verbose bool
|
||||
}
|
||||
|
||||
var (
|
||||
domain = flag.String("d", "", "")
|
||||
workers = flag.Int("t", 5, "")
|
||||
delay = flag.Int("s", 250, "")
|
||||
verbose = flag.Bool("v", false, "")
|
||||
nsarg multiflag
|
||||
Params Config
|
||||
)
|
||||
|
||||
func (m *multiflag) String() string {
|
||||
return "front page maximum wage"
|
||||
}
|
||||
|
||||
func (m *multiflag) Set(value string) error {
|
||||
*m = append(*m, value)
|
||||
return nil
|
||||
}
|
||||
|
||||
func LoadArgs() {
|
||||
flag.Var(&nsarg, "n", "")
|
||||
flag.Usage = Usage
|
||||
flag.Parse()
|
||||
|
||||
Params = Config{Domain: *domain, Threads: *workers, Delay: *delay, Nservers: nsarg, Verbose: *verbose}
|
||||
}
|
@ -1,88 +0,0 @@
|
||||
package common
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
)
|
||||
|
||||
var (
|
||||
ColorReset = "\033[0m"
|
||||
ColorRed = "\033[31m"
|
||||
ColorPurple = "\033[35m"
|
||||
ColorLightBlue = "\033[34m"
|
||||
ColorCyan = "\033[36m"
|
||||
ColorGreen = "\033[32m"
|
||||
ColorOrange = "\033[91m"
|
||||
ColorGray = "\033[90m"
|
||||
ColorYellow = "\033[93m"
|
||||
)
|
||||
|
||||
func Banner() {
|
||||
fmt.Printf(`%s
|
||||
.------..------..------..------..------..------..------.
|
||||
|%s%sP%s%s.--. ||%s%sA%s%s.--. ||%s%sT%s%s.--. ||%s%sD%s%s.--. ||%s%sO%s%s.--. ||%s%sW%s%s.--. ||%s%sN%s%s.--. |
|
||||
| :/\: || (\/) || :/\: || :/\: || :/\: || :/\: || :(): |
|
||||
| (__) || :\/: || (__) || (__) || :\/: || :\/: || ()() |
|
||||
| '--'P|| '--'A|| '--'T|| '--'D|| '--'O|| '--'W|| '--'N|
|
||||
'------''------''------''------''------''------''------'
|
||||
|
||||
%s%s sincerely,
|
||||
~ delorean%s
|
||||
|
||||
`, ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
|
||||
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
|
||||
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset,
|
||||
ColorRed, ColorReset, ColorGray, ColorReset, ColorRed, ColorReset, ColorGray, ColorReset)
|
||||
}
|
||||
|
||||
func Usage() {
|
||||
fmt.Fprintf(os.Stderr, `patdown usage:
|
||||
(%s-t%s) - target domain
|
||||
(%s-n%s) - specific nameserver to snoop, can be multiple
|
||||
(%s-c%s) - concurrent threads [%s100%s]
|
||||
(%s-s%s) - delay between queries, per thread, in milliseconds [%s100%s]
|
||||
|
||||
%se.g.%s
|
||||
patdown -t supernets.org
|
||||
patdown -n ns1.supernets.org -n ns2.supernets.org
|
||||
patdown -t supernets.org -c 50 -s 500
|
||||
|
||||
`, ColorCyan, ColorReset, ColorCyan, ColorReset, ColorCyan, ColorReset, ColorGray, ColorReset, ColorCyan, ColorReset, ColorGray, ColorReset, ColorCyan, ColorReset)
|
||||
}
|
||||
|
||||
var Vendors = map[string]string{
|
||||
"Microsoft Defender for Endpoint": "\033[34mMicrosoft Defender for Endpoint\033[0m",
|
||||
"VMWare Carbon Black": "\033[36mVMware\033[0m \033[90mCarbon Black\033[0m",
|
||||
"CrowdStrike Falcon": "\033[31mCrowdStrike\033[0m \033[1mFalcon\033[0m",
|
||||
"CheckPoint Harmony": "\033[35mCheckPoint\033[0m \033[1mHarmony\033[0m",
|
||||
"Cybereason": "\033[93mCybereason\033[0m",
|
||||
"Trellix": "\033[32mTrellix\033[0m",
|
||||
"Palo Alto Networks": "\033[91mPalo Alto Networks\033[0m",
|
||||
"SentinelOne": "\033[35mSentinelOne\033[0m",
|
||||
"Symantec": "\033[93mSymantec\033[0m",
|
||||
"Tanium": "\033[31mTanium\033[0m",
|
||||
"Nextron Aurora": "\033[36mNextron\033[0m \033[90mAurora\033[0m",
|
||||
"Trend Micro": "\033[31mTrend\033[0m \033[1mMicro\033[0m",
|
||||
"Rapid7 InsightIDR": "\033[97mRapid\033[0m\033[91m7\033[0m \033[97mInsightIDR\033[0m",
|
||||
}
|
||||
|
||||
func Success(msg string) {
|
||||
fmt.Printf(" %s~+~%s %s\n", ColorGreen, ColorReset, msg)
|
||||
}
|
||||
|
||||
func Info(msg string) {
|
||||
fmt.Printf(" %s~i~%s %s\n", ColorCyan, ColorReset, msg)
|
||||
}
|
||||
|
||||
func Warning(msg string) {
|
||||
fmt.Printf(" %s~!~%s %s\n", ColorYellow, ColorReset, msg)
|
||||
}
|
||||
|
||||
func Error(msg string) {
|
||||
fmt.Printf(" %s~x~%s %s\n", ColorRed, ColorReset, msg)
|
||||
}
|
||||
|
||||
func Fatal(msg string) {
|
||||
fmt.Printf(" %s~f~%s %s\n", ColorRed, ColorReset, msg)
|
||||
os.Exit(-1)
|
||||
}
|
174
common/dns.go
174
common/dns.go
@ -1,174 +0,0 @@
|
||||
package common
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/miekg/dns"
|
||||
)
|
||||
|
||||
type Pair struct {
|
||||
Nameserver string
|
||||
Domain string
|
||||
}
|
||||
|
||||
var (
|
||||
Nameservers, Valid, Recursive []string
|
||||
Found bool
|
||||
)
|
||||
|
||||
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
|
||||
msg := new(dns.Msg)
|
||||
msg.Id = dns.Id()
|
||||
msg.RecursionDesired = ra
|
||||
msg.Question = make([]dns.Question, 1)
|
||||
msg.Question[0] = dns.Question{dns.Fqdn(domain), reqtype, dns.ClassINET}
|
||||
return msg
|
||||
}
|
||||
|
||||
func ParseNS(nservers []string) ([]string, []string) {
|
||||
var valid, recursive []string
|
||||
msg := message("supernets.org", dns.TypeA, false)
|
||||
for _, ns := range nservers {
|
||||
in, err := dns.Exchange(msg, ns+":53")
|
||||
if err != nil {
|
||||
Error("nameserver " + ns + " is not responding")
|
||||
continue
|
||||
}
|
||||
if in.Rcode == dns.RcodeRefused {
|
||||
Warning("nameserver " + ns + " refused the test query, non-recursive snooping may not be viable")
|
||||
}
|
||||
if in.RecursionAvailable {
|
||||
Success("nameserver " + ns + " is recursive")
|
||||
recursive = append(recursive, ns)
|
||||
}
|
||||
valid = append(valid, ns)
|
||||
}
|
||||
return valid, recursive
|
||||
}
|
||||
|
||||
func TestReq() bool {
|
||||
msg := message("cloudflare.com", dns.TypeA, false)
|
||||
in, err := dns.Exchange(msg, "1.1.1.1:53")
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
if len(in.Answer) > 0 {
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func PullNS(d string) {
|
||||
nsmsg := message(d, dns.TypeNS, true)
|
||||
in, err := dns.Exchange(nsmsg, "1.1.1.1:53")
|
||||
if err != nil {
|
||||
Fatal("unable to retrieve nameservers for " + d)
|
||||
}
|
||||
|
||||
for _, ans := range in.Answer {
|
||||
ns, ok := ans.(*dns.NS)
|
||||
if ok {
|
||||
Nameservers = append(Nameservers, ns.Ns)
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
func Verify() {
|
||||
if !TestReq() {
|
||||
Error("neutral non-recursive query was refused, are you on a vpn or dirty box?")
|
||||
}
|
||||
Success("neutral non-recursive test query succeeded")
|
||||
|
||||
Valid, Recursive = ParseNS(Nameservers)
|
||||
Info(fmt.Sprintf("%d/%d nameservers are recursive", len(Recursive), len(Valid)))
|
||||
|
||||
if len(Valid) == 0 {
|
||||
Fatal("no valid nameservers available")
|
||||
}
|
||||
}
|
||||
|
||||
func Query(q <-chan Pair, tracker chan<- interface{}, delay int) {
|
||||
for pair := range q {
|
||||
msg := message(pair.Domain, dns.TypeA, false)
|
||||
in, err := dns.Exchange(msg, pair.Nameserver+":53")
|
||||
if err != nil {
|
||||
Error(err.Error())
|
||||
continue
|
||||
}
|
||||
|
||||
if len(in.Answer) > 0 {
|
||||
Found = true
|
||||
fmt.Printf("[%s] associated domain %s found on %s\n", Vendors[Domains[pair.Domain].Vendor], pair.Domain, pair.Nameserver)
|
||||
}
|
||||
time.Sleep(time.Duration(delay) * time.Millisecond)
|
||||
}
|
||||
tracker <- 1337
|
||||
}
|
||||
|
||||
func QueryRA(q <-chan Pair, tracker chan<- interface{}, delay int) {
|
||||
for pair := range q {
|
||||
msg := message(pair.Domain, dns.TypeA, true)
|
||||
for x := 0; x < 3; x++ {
|
||||
in, err := dns.Exchange(msg, pair.Nameserver+":53")
|
||||
if err != nil {
|
||||
Error("hiccup on " + pair.Nameserver + " retrying...")
|
||||
time.Sleep(1 * time.Second)
|
||||
continue
|
||||
}
|
||||
|
||||
if len(in.Answer) > 0 {
|
||||
Found = true
|
||||
if in.Answer[0].Header().Ttl != Domains[pair.Domain].TTL {
|
||||
fmt.Printf("[%s] associated domain %s found on %s with mismatched TTL of %d\n", Vendors[Domains[pair.Domain].Vendor], pair.Domain, pair.Nameserver, in.Answer[0].Header().Ttl)
|
||||
}
|
||||
break
|
||||
}
|
||||
}
|
||||
time.Sleep(time.Duration(delay) * time.Millisecond)
|
||||
}
|
||||
tracker <- 1337
|
||||
}
|
||||
|
||||
func Run(ra bool, threads, delay int) {
|
||||
pairs := make(chan Pair)
|
||||
tracker := make(chan interface{})
|
||||
|
||||
if !ra {
|
||||
// non-recursive snoop
|
||||
Info(fmt.Sprintf("non-recursive snooping on %d resolvers...\n", len(Valid)))
|
||||
go func() {
|
||||
for i := 0; i < threads; i++ {
|
||||
Query(pairs, tracker, delay)
|
||||
}
|
||||
}()
|
||||
|
||||
for _, ns := range Valid {
|
||||
for k, _ := range Domains {
|
||||
pairs <- Pair{Nameserver: ns, Domain: k}
|
||||
}
|
||||
}
|
||||
|
||||
close(pairs)
|
||||
} else {
|
||||
Info(fmt.Sprintf("recursively snooping on %d resolvers...\n", len(Recursive)))
|
||||
go func() {
|
||||
for i := 0; i < threads; i++ {
|
||||
QueryRA(pairs, tracker, delay)
|
||||
}
|
||||
}()
|
||||
|
||||
for _, ns := range Recursive {
|
||||
for k, _ := range Domains {
|
||||
pairs <- Pair{Nameserver: ns, Domain: k}
|
||||
}
|
||||
}
|
||||
|
||||
close(pairs)
|
||||
}
|
||||
|
||||
for x := 0; x < threads; x++ {
|
||||
<-tracker
|
||||
}
|
||||
}
|
96
common/exec.go
Normal file
96
common/exec.go
Normal file
@ -0,0 +1,96 @@
|
||||
package common
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
)
|
||||
|
||||
func scan(nameservers []Nameserver, threads, delay int, recursive, single bool) {
|
||||
queries := make(chan Query)
|
||||
tab := make(chan interface{})
|
||||
|
||||
if !recursive {
|
||||
Info(fmt.Sprintf("performing non-recursive lookups against %d resolvers...", len(nameservers)))
|
||||
for i := 0; i < threads; i++ {
|
||||
go RunQuery(queries, tab, delay)
|
||||
}
|
||||
|
||||
for _, ns := range nameservers {
|
||||
for vendor, domains := range Vendors {
|
||||
for _, domainpair := range domains {
|
||||
queries <- Query{Nameserver: ns.Nameserver, Vendor: vendor, DomainPair: domainpair}
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
Warn("recursive snooping can only be done once, as it populates the nameserver's cache")
|
||||
Info(fmt.Sprintf("recursively snooping on %d resolvers...", len(nameservers)))
|
||||
for i := 0; i < threads; i++ {
|
||||
go RunQueryRA(queries, tab, delay)
|
||||
}
|
||||
|
||||
if !single {
|
||||
for _, ns := range nameservers {
|
||||
for vendor, domains := range Vendors {
|
||||
for _, domainpair := range domains {
|
||||
queries <- Query{Nameserver: ns.Nameserver, Vendor: vendor, DomainPair: domainpair}
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for vendor, domains := range Vendors {
|
||||
for _, domainpair := range domains {
|
||||
queries <- Query{Nameserver: nameservers[0].Nameserver, Vendor: vendor, DomainPair: domainpair}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
close(queries)
|
||||
}
|
||||
|
||||
func Takeoff(nameservers []Nameserver) {
|
||||
var nonrns, rns []Nameserver
|
||||
for _, ns := range nameservers {
|
||||
if ns.Recursive {
|
||||
rns = append(rns, ns)
|
||||
}
|
||||
if ns.NonRA {
|
||||
nonrns = append(nonrns, ns)
|
||||
}
|
||||
}
|
||||
|
||||
if len(nonrns) == 0 && len(rns) == 0 {
|
||||
Fatal("no valid nameservers available for probing, they may be down or they don't like your IP")
|
||||
}
|
||||
|
||||
recursive := false
|
||||
|
||||
for {
|
||||
if !recursive {
|
||||
if len(nonrns) > 0 {
|
||||
scan(nonrns, Params.Threads, Params.Delay, false, false)
|
||||
} else {
|
||||
for {
|
||||
Info(fmt.Sprintf("non-recursive lookups not viable on these servers, perform recursive snooping? %s(less reliable, can only be done once per server)%s",
|
||||
ColorRed, ColorReset))
|
||||
fmt.Printf("%s `--(y/n):%s ", ColorCyan, ColorReset)
|
||||
var input string
|
||||
fmt.Scanln(&input)
|
||||
if input == "y" {
|
||||
recursive = true
|
||||
break
|
||||
}
|
||||
if input == "n" {
|
||||
os.Exit(0)
|
||||
}
|
||||
}
|
||||
continue
|
||||
}
|
||||
} else {
|
||||
autodetected := Params.Domain != "" && len(Params.Nservers) == 0
|
||||
scan(rns, Params.Threads, Params.Delay, true, autodetected)
|
||||
}
|
||||
|
||||
}
|
||||
}
|
69
common/io.go
Normal file
69
common/io.go
Normal file
@ -0,0 +1,69 @@
|
||||
package common
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
)
|
||||
|
||||
var (
|
||||
ColorReset = "\033[0m"
|
||||
ColorRed = "\033[31m"
|
||||
ColorPurple = "\033[35m"
|
||||
ColorLightBlue = "\033[34m"
|
||||
ColorCyan = "\033[36m"
|
||||
ColorGreen = "\033[32m"
|
||||
ColorOrange = "\033[91m"
|
||||
ColorGray = "\033[90m"
|
||||
ColorYellow = "\033[93m"
|
||||
ColorWhite = "\033[97m"
|
||||
)
|
||||
|
||||
func Usage() {
|
||||
Banner()
|
||||
fmt.Printf(`
|
||||
usage:
|
||||
%s!%s d | target fqdn (not recommended)
|
||||
%s!%s n | nameserver to query (can be specified multiple times)
|
||||
v | enable verbosity %s[false]%s
|
||||
t | threads %s[5]%s
|
||||
s | delay between requests in milliseconds, per thread %s[250]%s
|
||||
|
||||
e.g.
|
||||
patdown -d target.network
|
||||
patdown -n egress.ns.target.network -n another.egress.ns.target.network
|
||||
patdown -n dc.target.network -v -t 25
|
||||
`, ColorRed, ColorReset, ColorRed, ColorReset, ColorPurple, ColorReset, ColorPurple, ColorReset, ColorPurple, ColorReset)
|
||||
}
|
||||
|
||||
func Banner() {
|
||||
fmt.Fprintf(os.Stderr, `
|
||||
_______
|
||||
_/_ / ---' ____)____
|
||||
_ __. / __/ __ , , , ___ ______)
|
||||
/_)_(_/|_<__(_/_(_)(_(_/_/ <_ _______)
|
||||
/ _______)
|
||||
' ---.__________)
|
||||
|
||||
`)
|
||||
}
|
||||
|
||||
func Success(msg string) {
|
||||
fmt.Printf("%s[+]%s %s\n", ColorGreen, ColorReset, msg)
|
||||
}
|
||||
|
||||
func Info(msg string) {
|
||||
fmt.Printf("%s[i]%s %s\n", ColorCyan, ColorReset, msg)
|
||||
}
|
||||
|
||||
func Warn(msg string) {
|
||||
fmt.Printf("%s[!]%s %s\n", ColorYellow, ColorReset, msg)
|
||||
}
|
||||
|
||||
func Error(msg string) {
|
||||
fmt.Printf("%s[x]%s %s\n", ColorRed, ColorReset, msg)
|
||||
}
|
||||
|
||||
func Fatal(msg string) {
|
||||
fmt.Printf("%s[f]%s %s\n", ColorRed, ColorReset, msg)
|
||||
os.Exit(-1)
|
||||
}
|
140
common/net.go
Normal file
140
common/net.go
Normal file
@ -0,0 +1,140 @@
|
||||
package common
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/miekg/dns"
|
||||
)
|
||||
|
||||
type Query struct {
|
||||
Nameserver string
|
||||
Vendor string
|
||||
DomainPair Pair
|
||||
}
|
||||
|
||||
type Nameserver struct {
|
||||
Nameserver string
|
||||
NonRA bool
|
||||
Recursive bool
|
||||
}
|
||||
|
||||
func message(domain string, reqtype uint16, ra bool) *dns.Msg {
|
||||
msg := new(dns.Msg)
|
||||
msg.Id = dns.Id()
|
||||
msg.RecursionDesired = ra
|
||||
msg.Question = make([]dns.Question, 1)
|
||||
msg.Question[0] = dns.Question{
|
||||
Name: dns.Fqdn(domain),
|
||||
Qtype: reqtype,
|
||||
Qclass: dns.ClassINET,
|
||||
}
|
||||
return msg
|
||||
}
|
||||
|
||||
func ParseNS(nameservers []string) []Nameserver {
|
||||
var valid []Nameserver
|
||||
msg := message("cloudflare.com", dns.TypeA, false)
|
||||
for _, ns := range nameservers {
|
||||
nonra, ra := false, false
|
||||
in, err := dns.Exchange(msg, ns+":53")
|
||||
if err != nil {
|
||||
Error(fmt.Sprintf("nameserver %s%s%s is not responding to the trial query", ColorGray, ns[0:len(ns)-1], ColorReset))
|
||||
continue
|
||||
}
|
||||
if in.Rcode == dns.RcodeRefused {
|
||||
Warn(fmt.Sprintf("nameserver %s%s%s refused the trial non-recursive query", ColorGray, ns[0:len(ns)-1], ColorReset))
|
||||
} else {
|
||||
Success(fmt.Sprintf("nameserver %s%s%s allows non-recursive queries", ColorGray, ns[0:len(ns)-1], ColorReset))
|
||||
nonra = true
|
||||
}
|
||||
if in.RecursionAvailable {
|
||||
Success(fmt.Sprintf("nameserver %s%s%s allows recursion", ColorGray, ns[0:len(ns)-1], ColorReset))
|
||||
ra = true
|
||||
} else {
|
||||
Warn(fmt.Sprintf("nameserver %s%s%s does not allow recursion", ColorGray, ns[0:len(ns)-1], ColorReset))
|
||||
}
|
||||
|
||||
valid = append(valid, Nameserver{Nameserver: ns, NonRA: nonra, Recursive: ra})
|
||||
}
|
||||
return valid
|
||||
}
|
||||
|
||||
func NeutralReq() bool {
|
||||
msg := message("supernets.org", dns.TypeA, true)
|
||||
in, err := dns.Exchange(msg, "1.1.1.1:53")
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
if len(in.Answer) > 0 {
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func PullNS(d string) []string {
|
||||
nsmsg := message(d, dns.TypeNS, true)
|
||||
in, err := dns.Exchange(nsmsg, "1.1.1.1:53")
|
||||
if err != nil {
|
||||
Fatal("unable to retrieve nameservers for " + d)
|
||||
}
|
||||
|
||||
nameservers := []string{}
|
||||
|
||||
for _, ans := range in.Answer {
|
||||
ns, ok := ans.(*dns.NS)
|
||||
if ok {
|
||||
nameservers = append(nameservers, ns.Ns)
|
||||
}
|
||||
}
|
||||
|
||||
return nameservers
|
||||
}
|
||||
|
||||
func RunQuery(q <-chan Query, tracker chan<- interface{}, delay int) {
|
||||
for qdata := range q {
|
||||
if Params.Verbose {
|
||||
Info(fmt.Sprintf("querying %s on %s", qdata.DomainPair.Domain, qdata.Nameserver[0:len(qdata.Nameserver)-1]))
|
||||
}
|
||||
msg := message(qdata.DomainPair.Domain, dns.TypeA, false)
|
||||
in, err := dns.Exchange(msg, qdata.Nameserver+":53")
|
||||
if err != nil {
|
||||
Error(err.Error())
|
||||
continue
|
||||
}
|
||||
|
||||
if len(in.Answer) > 0 {
|
||||
Success(fmt.Sprintf("[%s] associated domain %s%s%s found on %s%s%s",
|
||||
qdata.Vendor, ColorRed, qdata.DomainPair.Domain, ColorReset, ColorRed, qdata.Nameserver[0:len(qdata.Nameserver)-1], ColorReset))
|
||||
}
|
||||
time.Sleep(time.Duration(delay) * time.Millisecond)
|
||||
}
|
||||
tracker <- 1337
|
||||
}
|
||||
|
||||
func RunQueryRA(q <-chan Query, tracker chan<- interface{}, delay int) {
|
||||
for qdata := range q {
|
||||
if Params.Verbose {
|
||||
Info(fmt.Sprintf("recursively querying %s on %s", qdata.DomainPair.Domain, qdata.Nameserver[0:len(qdata.Nameserver)-1]))
|
||||
}
|
||||
for x := 0; x < 2; x++ {
|
||||
msg := message(qdata.DomainPair.Domain, dns.TypeA, true)
|
||||
in, err := dns.Exchange(msg, qdata.Nameserver+":53")
|
||||
if err != nil {
|
||||
Error("hiccup on " + qdata.Nameserver[0:len(qdata.Nameserver)-1] + " while querying " + qdata.DomainPair.Domain)
|
||||
time.Sleep(2 * time.Second)
|
||||
continue
|
||||
}
|
||||
|
||||
if len(in.Answer) > 0 {
|
||||
if in.Answer[0].Header().Ttl <= qdata.DomainPair.TTL-4 {
|
||||
Success(fmt.Sprintf("[%s] associated domain %s%s%s found on %s%s%s with decremented TTL of %s%d%s",
|
||||
qdata.Vendor, ColorRed, qdata.DomainPair.Domain, ColorReset, ColorRed, qdata.Nameserver[0:len(qdata.Nameserver)-1], ColorReset, ColorGreen, in.Answer[0].Header().Ttl, ColorReset))
|
||||
}
|
||||
}
|
||||
break
|
||||
}
|
||||
time.Sleep(time.Duration(delay) * time.Millisecond)
|
||||
}
|
||||
tracker <- 1337
|
||||
}
|
728
common/ref.go
728
common/ref.go
@ -1,327 +1,483 @@
|
||||
package common
|
||||
|
||||
type DomInfo struct {
|
||||
Vendor string
|
||||
import "fmt"
|
||||
|
||||
type Pair struct {
|
||||
Domain string
|
||||
TTL uint32
|
||||
}
|
||||
|
||||
var Domains = map[string]DomInfo{
|
||||
var Vendors = map[string][]Pair{
|
||||
fmt.Sprintf("%sMicrosoft Defender for Endpoint%s", ColorCyan, ColorReset): domains_microsoft,
|
||||
fmt.Sprintf("%sVMWare%s Carbon Black%s", ColorCyan, ColorGray, ColorReset): domains_carbonblack,
|
||||
fmt.Sprintf("%sCrowdStrike Falcon%s", ColorRed, ColorReset): domains_crowdstrike,
|
||||
fmt.Sprintf("%sCheck Point Harmony%s", ColorPurple, ColorReset): domains_checkpoint,
|
||||
fmt.Sprintf("%sCybereason%s", ColorYellow, ColorReset): domains_cybereason,
|
||||
fmt.Sprintf("%sTrellix%s", ColorCyan, ColorReset): domains_trellix,
|
||||
fmt.Sprintf("%sCortex XDR%s", ColorOrange, ColorReset): domains_paloalto,
|
||||
fmt.Sprintf("%sSentinelOne Singularity%s", ColorPurple, ColorReset): domains_sentinelone,
|
||||
fmt.Sprintf("%sSymantec Endpoint Security%s", ColorYellow, ColorReset): domains_symantec,
|
||||
fmt.Sprintf("%sTanium%s", ColorRed, ColorReset): domains_tanium,
|
||||
fmt.Sprintf("%sNextron%s Aurora%s", ColorCyan, ColorGreen, ColorReset): domains_aurora,
|
||||
fmt.Sprintf("%sTrend Micro Endpoint Sensor%s", ColorRed, ColorReset): domains_trendmicro,
|
||||
fmt.Sprintf("%sRapid7%s InsightIDR", ColorOrange, ColorReset): domains_rapid7,
|
||||
}
|
||||
|
||||
// Microsoft Defender for Endpoint
|
||||
// https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls
|
||||
"ussus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"download.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, // dynamic
|
||||
"go.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 1600}, // dynamic
|
||||
"ussus1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"wsus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"security.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600},
|
||||
"wseu1northprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"wsus2eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"ussus3westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"wsus1eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"wsuk1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"ussus2eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"settings-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, // dynamic
|
||||
"usseu1northprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"wsus1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"usseu1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"ussus1eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"ussuk1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"ctldl.windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 980},
|
||||
"ussus4eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"vortex-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 120},
|
||||
"wseu1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"ussuk1southprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300},
|
||||
"ussus3eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"ussus4westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
"wsuk1southprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
|
||||
var domains_microsoft = []Pair{
|
||||
{"download.microsoft.com", 3600}, // not certain
|
||||
{"go.microsoft.com", 3600}, // not certain
|
||||
{"security.microsoft.com", 3600},
|
||||
{"settings-win.data.microsoft.com", 3600}, // not certain
|
||||
{"windowsupdate.com", 300},
|
||||
{"ctldl.windowsupdate.com", 3600}, // not certain
|
||||
{"wdcp.microsoft.com", 3600},
|
||||
{"wd.microsoft.com", 300},
|
||||
{"wdcpalt.microsoft.com", 3600},
|
||||
{"checkappexec.microsoft.com", 3600}, // not certain
|
||||
{"smartscreen-prod.microsoft.com", 3600},
|
||||
{"vortex-win.data.microsoft.com", 120},
|
||||
{"update.microsoft.com", 3600}, // not certain
|
||||
{"download.windowsupdate.com", 3600}, // not certain
|
||||
{"definitionupdates.microsoft.com", 3600},
|
||||
// {"delivery.mp.microsoft.com", 0},
|
||||
// {"fe3cr.delivery.mp.microsoft.com", 0},
|
||||
{"ussus2westprod.blob.core.windows.net", 60},
|
||||
{"ussus1westprod.blob.core.windows.net", 60},
|
||||
{"wsus2westprod.blob.core.windows.net", 60},
|
||||
{"wseu1northprod.blob.core.windows.net", 60},
|
||||
{"wsus2eastprod.blob.core.windows.net", 60},
|
||||
{"ussus3westprod.blob.core.windows.net", 60},
|
||||
{"wsus1eastprod.blob.core.windows.net", 60},
|
||||
{"wsuk1westprod.blob.core.windows.net", 60},
|
||||
{"ussus2eastprod.blob.core.windows.net", 60},
|
||||
{"usseu1northprod.blob.core.windows.net", 60},
|
||||
{"wsus1westprod.blob.core.windows.net", 60},
|
||||
{"usseu1westprod.blob.core.windows.net", 60},
|
||||
{"ussus1eastprod.blob.core.windows.net", 60},
|
||||
{"ussuk1westprod.blob.core.windows.net", 60},
|
||||
{"ussus4eastprod.blob.core.windows.net", 60},
|
||||
{"wseu1westprod.blob.core.windows.net", 60},
|
||||
{"ussuk1southprod.blob.core.windows.net", 60},
|
||||
{"ussus3eastprod.blob.core.windows.net", 60},
|
||||
{"ussus4westprod.blob.core.windows.net", 60},
|
||||
{"wsuk1southprod.blob.core.windows.net", 60},
|
||||
}
|
||||
|
||||
// VMWare Carbon Black
|
||||
// https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#index-of-base-urls
|
||||
"defense-prod05.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
|
||||
"console.cloud.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
|
||||
"updates2.cdc.carbonblack.io": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
|
||||
"dashboard.confer.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300},
|
||||
"console.cloud-us-gov.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300},
|
||||
"ew2.carbonblackcloud.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300},
|
||||
"defense.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
|
||||
"carbonblack.io": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
|
||||
"carbonblack.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 3600},
|
||||
"defense-prodnrt.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
|
||||
"updates.cdc.carbonblack.io": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
|
||||
"gprd1usgw1.carbonblack-us-gov.vmware.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 3600},
|
||||
"defense-prodsyd.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
|
||||
"carbonblack.com": DomInfo{Vendor: "VMWare Carbon Black", TTL: 300},
|
||||
"defense-eap01.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
|
||||
"defense-eu.conferdeploy.net": DomInfo{Vendor: "VMWare Carbon Black", TTL: 60},
|
||||
// https://docs.vmware.com/en/VMware-Carbon-Black-EDR/7.8.0/cb-edr-scm-guide/GUID-3117FB54-5D0F-46C1-8372-BF3784D27CFF.html
|
||||
// restricted: https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-What-Ports-must-be-opened-on-the-Firewall-and-Proxy/ta-p/36295
|
||||
var domains_carbonblack = []Pair{
|
||||
{"defense-prod05.conferdeploy.net", 60},
|
||||
{"console.cloud.vmware.com", 60},
|
||||
{"updates2.cdc.carbonblack.io", 300},
|
||||
{"dashboard.confer.net", 300},
|
||||
{"console.cloud-us-gov.vmware.com", 300},
|
||||
{"ew2.carbonblackcloud.vmware.com", 30},
|
||||
{"defense.conferdeploy.net", 60},
|
||||
{"carbonblack.io", 60},
|
||||
{"carbonblack.vmware.com", 86400},
|
||||
{"defense-prodnrt.conferdeploy.net", 60},
|
||||
{"updates.cdc.carbonblack.io", 60},
|
||||
{"gprd1usgw1.carbonblack-us-gov.vmware.com", 3600},
|
||||
{"defense-prodsyd.conferdeploy.net", 60},
|
||||
{"carbonblack.com", 300},
|
||||
{"defense-eap01.conferdeploy.net", 60},
|
||||
{"defense-eu.conferdeploy.net", 60},
|
||||
{"api.alliance.carbonblack.com", 600},
|
||||
{"api2.alliance.carbonblack.com", 600},
|
||||
{"threatintel.bit9.com", 3600},
|
||||
{"yum.distro.carbonblack.io", 300},
|
||||
}
|
||||
|
||||
// CrowdStrike Falcon
|
||||
// https://www.dell.com/support/kbdoc/en-us/000177899/crowdstrike-falcon-sensor-system-requirements
|
||||
"falcon.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
|
||||
"falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
|
||||
"ts01-gyr-maverick.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
|
||||
"us-gov-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 900},
|
||||
"api.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 300},
|
||||
"ts01-b.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
|
||||
"firehose.us-gov-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
|
||||
"assets.falcon.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
|
||||
"api.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
|
||||
"lfodown01-b.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
|
||||
"assets-public.falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
|
||||
"assets.falcon.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
|
||||
"api.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
|
||||
"assets-public.us-2.falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
|
||||
"firehose.laggar.gcw.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
|
||||
"ts01-lanner-lion.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
|
||||
"lfoup01-lanner-lion.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
|
||||
"assets-public.falcon.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
|
||||
"crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 300},
|
||||
"lfoup01-gyr-maverick.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
|
||||
"lfoup01-b.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
|
||||
"ts01-laggar-gcw.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
|
||||
"falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
|
||||
"ts01-us-gov-2.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
|
||||
"laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
|
||||
"assets.falcon.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
|
||||
"lfodown01-lanner-lion.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
|
||||
"falcon.laggar.gcw.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
|
||||
"firehose.us-2.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
|
||||
"firehose.eu-1.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 120},
|
||||
"lfodown01-laggar-gcw.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
|
||||
"api.laggar.gcw.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
|
||||
"lfodown01-gyr-maverick.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
|
||||
"lfodown01-us-gov-2.cloudsink.net": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 1800},
|
||||
"sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
|
||||
"firehose.crowdstrike.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 300},
|
||||
"ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com": DomInfo{Vendor: "CrowdStrike Falcon", TTL: 60},
|
||||
var domains_crowdstrike = []Pair{
|
||||
{"falcon.us-2.crowdstrike.com", 120},
|
||||
{"falcon.crowdstrike.com", 60},
|
||||
{"ts01-gyr-maverick.cloudsink.net", 60},
|
||||
// {"us-gov-2.crowdstrike.com", 0},
|
||||
{"api.crowdstrike.com", 300},
|
||||
{"ts01-b.cloudsink.net", 1800},
|
||||
// {"firehose.us-gov-2.crowdstrike.com", 0},
|
||||
{"assets.falcon.eu-1.crowdstrike.com", 120},
|
||||
{"api.eu-1.crowdstrike.com", 60},
|
||||
{"lfodown01-b.cloudsink.net", 1800},
|
||||
{"assets-public.falcon.crowdstrike.com", 60},
|
||||
{"assets.falcon.us-2.crowdstrike.com", 120},
|
||||
{"api.us-2.crowdstrike.com", 120},
|
||||
{"assets-public.us-2.falcon.crowdstrike.com", 120},
|
||||
{"firehose.laggar.gcw.crowdstrike.com", 60},
|
||||
{"ts01-lanner-lion.cloudsink.net", 60},
|
||||
{"lfoup01-lanner-lion.cloudsink.net", 1800},
|
||||
{"assets-public.falcon.eu-1.crowdstrike.com", 120},
|
||||
{"crowdstrike.com", 300},
|
||||
{"lfoup01-gyr-maverick.cloudsink.net", 1800},
|
||||
{"lfoup01-b.cloudsink.net", 1800},
|
||||
{"ts01-laggar-gcw.cloudsink.net", 60},
|
||||
{"falconhose-laggar01-g-720386815.us-gov-west-1.elb.amazonaws.com", 60},
|
||||
{"ts01-us-gov-2.cloudsink.net", 1800},
|
||||
{"laggar-falconui01-g-245478519.us-gov-west-1.elb.amazonaws.com", 60},
|
||||
{"assets.falcon.crowdstrike.com", 60},
|
||||
{"lfodown01-lanner-lion.cloudsink.net", 60},
|
||||
{"falcon.laggar.gcw.crowdstrike.com", 60},
|
||||
{"firehose.us-2.crowdstrike.com", 120},
|
||||
{"firehose.eu-1.crowdstrike.com", 120},
|
||||
{"lfodown01-laggar-gcw.cloudsink.net", 60},
|
||||
{"api.laggar.gcw.crowdstrike.com", 60},
|
||||
{"lfodown01-gyr-maverick.cloudsink.net", 60},
|
||||
{"lfodown01-us-gov-2.cloudsink.net", 1800},
|
||||
{"sensorproxy-laggar-g-524628337.us-gov-west-1.elb.amazonaws.com", 60},
|
||||
{"firehose.crowdstrike.com", 300},
|
||||
{"ELB-Laggar-P-LFO-DOWNLOAD-1265997121.us-gov-west-1.elb.amazonaws.com", 60},
|
||||
}
|
||||
|
||||
// Harmony / CheckPoint
|
||||
// https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116590
|
||||
"rep.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
|
||||
"threat-emulation.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
|
||||
"epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 900},
|
||||
"sc1.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
|
||||
"gwevents.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
|
||||
"gwevents.us.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 180},
|
||||
"endpoint-cdn.epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300},
|
||||
"checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 39},
|
||||
"iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 900},
|
||||
"kav8.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
|
||||
"cloudinfra-gw.portal.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60},
|
||||
"datatube-prod.azurewebsites.net": DomInfo{Vendor: "CheckPoint Harmony", TTL: 30},
|
||||
"updates.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
|
||||
"ep-repo.epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300},
|
||||
"file-rep.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60},
|
||||
"threatcloud.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60},
|
||||
"dl3.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
|
||||
"secureupdates.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
|
||||
"epm-gw-eu.epmgmt.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 86400},
|
||||
"url-rep.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60},
|
||||
"te.iaas.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 60},
|
||||
"services.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
|
||||
"europe-west1-datatube-240519.cloudfunctions.net": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300},
|
||||
"cws.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
|
||||
"teadv.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
|
||||
"us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net": DomInfo{Vendor: "CheckPoint Harmony", TTL: 300},
|
||||
"te.checkpoint.com": DomInfo{Vendor: "CheckPoint Harmony", TTL: 1800},
|
||||
// https://support.checkpoint.com/results/sk/sk116590
|
||||
var domains_checkpoint = []Pair{
|
||||
{"rep.checkpoint.com", 1800},
|
||||
{"threat-emulation.checkpoint.com", 1800},
|
||||
{"sc1.checkpoint.com", 1800},
|
||||
{"gwevents.checkpoint.com", 300},
|
||||
{"gwevents.us.checkpoint.com", 180},
|
||||
{"endpoint-cdn.epmgmt.checkpoint.com", 300},
|
||||
// {"checkpoint.com", 25}, <- dynamic ttl
|
||||
{"kav8.checkpoint.com", 1800},
|
||||
{"cloudinfra-gw.portal.checkpoint.com", 60},
|
||||
{"datatube-prod.azurewebsites.net", 30},
|
||||
{"updates.checkpoint.com", 1800},
|
||||
{"ep-repo.epmgmt.checkpoint.com", 300},
|
||||
{"file-rep.iaas.checkpoint.com", 60},
|
||||
{"threatcloud.iaas.checkpoint.com", 60},
|
||||
{"dl3.checkpoint.com", 1800},
|
||||
{"secureupdates.checkpoint.com", 1800},
|
||||
{"epm-gw-eu.epmgmt.checkpoint.com", 86400},
|
||||
{"url-rep.iaas.checkpoint.com", 60},
|
||||
{"te.iaas.checkpoint.com", 60},
|
||||
{"services.checkpoint.com", 1800},
|
||||
{"europe-west1-datatube-240519.cloudfunctions.net", 300},
|
||||
{"cws.checkpoint.com", 1800},
|
||||
{"teadv.checkpoint.com", 1800},
|
||||
{"us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net", 300},
|
||||
{"te.checkpoint.com", 1800},
|
||||
{"hap2.epmgmt.checkpoint.com", 300},
|
||||
{"hap21.epmgmt.checkpoint.com", 300},
|
||||
{"hap5.epmgmt.checkpoint.com", 300},
|
||||
{"hap51.epmgmt.checkpoint.com", 300},
|
||||
{"hap1.epmgmt.checkpoint.com", 300},
|
||||
{"hap11.epmgmt.checkpoint.com", 300},
|
||||
{"hap3.epmgmt.checkpoint.com", 300},
|
||||
{"hap31.epmgmt.checkpoint.com", 300},
|
||||
{"hap4.epmgmt.checkpoint.com", 300},
|
||||
{"hap41.epmgmt.checkpoint.com", 300},
|
||||
{"ftp-proxy.checkpoint.com", 1800},
|
||||
{"web-rep.checkpoint.com", 1800},
|
||||
}
|
||||
|
||||
// Cybereason
|
||||
// https://docs.cybereason.com/en/latest/cloud_deploy/enablecommunication.html
|
||||
"data-epgw-eu-west-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
|
||||
"probe-dist-asia-northeast-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 60},
|
||||
"data-epgw-asia-northeast-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
|
||||
"probe-dist.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
|
||||
"probe-dist-eu-west-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
|
||||
"data-epgw.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
|
||||
"cybereason.com": DomInfo{Vendor: "Cybereason", TTL: 300},
|
||||
var domains_cybereason = []Pair{
|
||||
{"data-epgw-eu-west-1.cybereason.net", 300},
|
||||
{"probe-dist-asia-northeast-1.cybereason.net", 60},
|
||||
{"data-epgw-asia-northeast-1.cybereason.net", 300},
|
||||
{"probe-dist.cybereason.net", 300},
|
||||
{"probe-dist-eu-west-1.cybereason.net", 300},
|
||||
{"probe-dist-dns.cybereason.net", 3600},
|
||||
{"data-epgw.cybereason.net", 300},
|
||||
{"cybereason.com", 600},
|
||||
}
|
||||
|
||||
// FireEye / Trellix
|
||||
// https://kcm.trellix.com/corporate/index?page=content&id=KB90878
|
||||
"manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 900},
|
||||
"cds-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"sw-eu001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"cdn-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"sw-ind001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"cdn-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"cdn-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"auth.ui.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"uam.api.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"cds-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"sw-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"sw-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 300},
|
||||
"dxlweb-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"cds-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"cdn-sgp001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"dxlweb-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"cdn-ind001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"dxl-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"sw-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"dxl-usw001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"dxlweb-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"cds-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"cdn-au001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"sw-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"api.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"sw-sgp001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"dxlweb-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"cdn-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"sw-au001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"dxl-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"dxl-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
"cdn-eu001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
|
||||
var domains_trellix = []Pair{
|
||||
{"epo.trellix.com", 300},
|
||||
{"s-download.trellix.com", 300},
|
||||
{"lc.trellix.com", 300},
|
||||
{"manage.trellix.com", 60},
|
||||
{"cds-usw001.manage.trellix.com", 60},
|
||||
{"cdn-usw002.manage.trellix.com", 60},
|
||||
{"cdn-usw001.manage.trellix.com", 60},
|
||||
{"cdn-usw003.manage.trellix.com", 60},
|
||||
{"auth.ui.trellix.com", 60},
|
||||
{"uam.api.trellix.com", 60},
|
||||
{"api.manage.trellix.com", 60},
|
||||
{"cds-usw002.manage.trellix.com", 60},
|
||||
{"trellix.com", 60},
|
||||
{"dxlweb-usw001.manage.trellix.com", 60},
|
||||
{"cds-usw003.manage.trellix.com", 60},
|
||||
{"cdn-sgp001.manage.trellix.com", 60},
|
||||
{"dxlweb-usw002.manage.trellix.com", 60},
|
||||
{"cdn-ind001.manage.trellix.com", 60},
|
||||
{"dxl-usw002.manage.trellix.com", 60},
|
||||
{"dxl-usw001.manage.trellix.com", 60},
|
||||
{"dxlweb-usw003.manage.trellix.com", 60},
|
||||
{"cds-usw004.manage.trellix.com", 60},
|
||||
{"cdn-au001.manage.trellix.com", 60},
|
||||
{"dxlweb-usw004.manage.trellix.com", 60},
|
||||
{"cdn-usw004.manage.trellix.com", 60},
|
||||
{"dxl-usw004.manage.trellix.com", 60},
|
||||
{"dxl-usw003.manage.trellix.com", 60},
|
||||
{"cdn-eu001.manage.trellix.com", 60},
|
||||
{"iam.cloud.trellix.com", 10},
|
||||
{"iam-rs.cloud.trellix.com", 10},
|
||||
{"gsd.cloud.trellix.com", 10},
|
||||
{"d2c-us-west-2.manage.trellix.com", 60},
|
||||
{"d2c-eu-central-1.manage.trellix.com", 60},
|
||||
{"dxlweb-sgp001.manage.trellix.com", 60},
|
||||
{"dxl-sgp001.manage.trellix.com", 60},
|
||||
{"dxl-eu001.manage.trellix.com", 60},
|
||||
{"dxlweb-eu001.manage.trellix.com", 60},
|
||||
{"dxl-au001.manage.trellix.com", 60},
|
||||
{"dxlweb-au001.manage.trellix.com", 60},
|
||||
{"dxl-ind001.manage.trellix.com", 60},
|
||||
{"dxlweb-ind001.manage.trellix.com", 60},
|
||||
{"ui-usw001.manage.trellix.com", 60},
|
||||
{"ui-usw002.manage.trellix.com", 60},
|
||||
{"ui-usw003.manage.trellix.com", 60},
|
||||
{"ui-usw004.manage.trellix.com", 60},
|
||||
{"ui-sgp001.manage.trellix.com", 60},
|
||||
{"ui-eu001.manage.trellix.com", 60},
|
||||
{"ui-au001.manage.trellix.com", 60},
|
||||
{"ui-ind001.manage.trellix.com", 60},
|
||||
{"ah-usw001.manage.trellix.com", 60},
|
||||
{"ah-usw002.manage.trellix.com", 60},
|
||||
{"ah-usw003.manage.trellix.com", 60},
|
||||
{"ah-usw004.manage.trellix.com", 60},
|
||||
{"ah-sgp001.manage.trellix.com", 60},
|
||||
{"ah-eu001.manage.trellix.com", 60},
|
||||
{"ah-au001.manage.trellix.com", 60},
|
||||
{"ah-ind001.manage.trellix.com", 60},
|
||||
}
|
||||
|
||||
// Cortex XDR / Palo Alto Networks
|
||||
// https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access
|
||||
"panw-xdr-evr-prod-au.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"lrc-eu.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
|
||||
"global-content-profiles-policy.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"panw-xdr-evr-prod-uk.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"lrc-ch.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
|
||||
"lrc-jp.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
|
||||
"panw-xdr-evr-prod-qt.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"panw-xdr-evr-prod-pl.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"pendo-static-5664029141630976.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"panw-xdr-evr-prod-sg.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"lrc-uk.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
|
||||
"lrc-us.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
|
||||
"lrc-tw.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 1800},
|
||||
"panw-xdr-evr-prod-eu.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"lrc-ca.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
|
||||
"paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30},
|
||||
"lrc-fa.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30},
|
||||
"panw-xdr-evr-prod-in.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"panw-xdr-evr-prod-fa.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"panw-xdr-evr-prod-ca.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"lrc-pl.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
|
||||
"lrc-qt.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"panw-xdr-evr-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"lrc-de.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"panw-xdr-installers-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"panw-xdr-evr-prod-ch.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"lrc-in.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
|
||||
"panw-xdr-evr-prod-de.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"lrc-au.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
|
||||
"panw-xdr-evr-prod-tw.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"login.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
|
||||
"lrc-sg.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
|
||||
"panw-xdr-evr-prod-jp.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
"panw-xdr-payloads-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
|
||||
var domains_paloalto = []Pair{
|
||||
{"panw-xdr-evr-prod-au.storage.googleapis.com", 300},
|
||||
{"lrc-eu.paloaltonetworks.com", 14400},
|
||||
{"global-content-profiles-policy.storage.googleapis.com", 300},
|
||||
{"panw-xdr-evr-prod-uk.storage.googleapis.com", 300},
|
||||
{"lrc-ch.paloaltonetworks.com", 14400},
|
||||
{"lrc-jp.paloaltonetworks.com", 14400},
|
||||
{"panw-xdr-evr-prod-qt.storage.googleapis.com", 300},
|
||||
{"panw-xdr-evr-prod-pl.storage.googleapis.com", 300},
|
||||
{"pendo-static-5664029141630976.storage.googleapis.com", 300},
|
||||
{"panw-xdr-evr-prod-sg.storage.googleapis.com", 300},
|
||||
{"lrc-uk.paloaltonetworks.com", 14400},
|
||||
{"lrc-us.paloaltonetworks.com", 14400},
|
||||
{"lrc-tw.paloaltonetworks.com", 1800},
|
||||
{"panw-xdr-evr-prod-eu.storage.googleapis.com", 300},
|
||||
{"lrc-ca.paloaltonetworks.com", 14400},
|
||||
{"paloaltonetworks.com", 30},
|
||||
// {"lrc-fa.paloaltonetworks.com", 14400},
|
||||
{"panw-xdr-evr-prod-in.storage.googleapis.com", 300},
|
||||
{"panw-xdr-evr-prod-fa.storage.googleapis.com", 300},
|
||||
{"panw-xdr-evr-prod-ca.storage.googleapis.com", 300},
|
||||
{"lrc-pl.paloaltonetworks.com", 14400},
|
||||
{"lrc-qt.paloaltonetworks.com", 300},
|
||||
{"panw-xdr-evr-prod-us.storage.googleapis.com", 300},
|
||||
{"lrc-de.paloaltonetworks.com", 300},
|
||||
{"panw-xdr-installers-prod-us.storage.googleapis.com", 300},
|
||||
{"panw-xdr-evr-prod-ch.storage.googleapis.com", 300},
|
||||
{"lrc-in.paloaltonetworks.com", 14400},
|
||||
{"panw-xdr-evr-prod-de.storage.googleapis.com", 300},
|
||||
{"lrc-au.paloaltonetworks.com", 14400},
|
||||
{"panw-xdr-evr-prod-tw.storage.googleapis.com", 300},
|
||||
{"login.paloaltonetworks.com", 14400},
|
||||
{"lrc-sg.paloaltonetworks.com", 14400},
|
||||
{"panw-xdr-evr-prod-jp.storage.googleapis.com", 300},
|
||||
{"panw-xdr-payloads-prod-us.storage.googleapis.com", 300},
|
||||
{"distributions.traps.paloaltonetworks.com", 300},
|
||||
{"distributions-prod-fed.traps.paloaltonetworks.com", 300},
|
||||
{"cortex-gateway.paloaltonetworks.com", 30},
|
||||
{"gw-app-proxy.us.paloaltonetworks.com", 300},
|
||||
{"xdr-ova-installers-prod-us.storage.googleapis.com", 300},
|
||||
{"identity.paloaltonetworks.com", 300},
|
||||
{"identity.gslb.paloaltonetworks.com", 5},
|
||||
{"identity.gcp.gslb.paloaltonetworks.com", 5},
|
||||
{"lrc-fed.paloaltonetworks.com", 14400},
|
||||
{"panw-xdr-installers-prod-fr.storage.googleapis.com", 300},
|
||||
{"panw-xdr-payloads-prod-fr.storage.googleapis.com", 300},
|
||||
{"global-content-profiles-policy-prod-fr.storage.googleapis.com", 300},
|
||||
{"panw-xdr-evr-prod-fr.storage.googleapis.com", 300},
|
||||
{"app-proxy.federal.paloaltonetworks.com", 300},
|
||||
}
|
||||
|
||||
// Singularity / SentinelOne
|
||||
"eu1-oauth.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"eu1-qi.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"console.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"sentinelone.com": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"eu1-console.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"eu1-content.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"panel.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"oauth.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"xdr.intus1.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 60},
|
||||
"eu1-device-api.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"eu1-vpc.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"eu1-acceptor.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"login.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"device-api.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"eu1-panel.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"eu1-token.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"content.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
"ut.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
|
||||
var domains_sentinelone = []Pair{
|
||||
{"eu1-oauth.mobile.sentinelone.net", 300},
|
||||
{"eu1-qi.mobile.sentinelone.net", 300},
|
||||
{"console.mobile.sentinelone.net", 300},
|
||||
{"sentinelone.com", 300},
|
||||
{"eu1-console.mobile.sentinelone.net", 300},
|
||||
{"eu1-content.mobile.sentinelone.net", 300},
|
||||
{"panel.mobile.sentinelone.net", 300},
|
||||
{"oauth.mobile.sentinelone.net", 300},
|
||||
{"xdr.intus1.sentinelone.net", 60},
|
||||
{"eu1-device-api.mobile.sentinelone.net", 300},
|
||||
{"eu1-vpc.mobile.sentinelone.net", 300},
|
||||
{"eu1-acceptor.mobile.sentinelone.net", 300},
|
||||
{"login.sentinelone.net", 300},
|
||||
{"device-api.mobile.sentinelone.net", 300},
|
||||
{"eu1-panel.mobile.sentinelone.net", 300},
|
||||
{"eu1-token.mobile.sentinelone.net", 300},
|
||||
{"content.mobile.sentinelone.net", 300},
|
||||
{"ut.sentinelone.net", 300},
|
||||
}
|
||||
|
||||
// Symantec / Broadcom
|
||||
// https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-7/about-v96380626-d38e6/required-firewall-ports-v97213154-d38e5602.html
|
||||
"remotetunnel5.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
|
||||
"remotetunnel1.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
|
||||
"remotetunnel3.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
|
||||
"bash-avpg.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
|
||||
"remotetunnel2.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
|
||||
"central.b6.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
|
||||
"stnd-ipsg.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
|
||||
"datafeedapi.symanteccloud.com": DomInfo{Vendor: "Symantec", TTL: 300},
|
||||
"stnd-avpg.crsi.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
|
||||
"shasta-rrs.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
|
||||
"remotetunnel4.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
|
||||
"liveupdate.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
|
||||
"sso1.edrc.symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
|
||||
"shasta-mrs.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
|
||||
"telemetry.broadcom.com": DomInfo{Vendor: "Symantec", TTL: 3600},
|
||||
"ratings-wrs.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
|
||||
"api-gateway.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
|
||||
"swupdate.brightmail.com": DomInfo{Vendor: "Symantec", TTL: 3600},
|
||||
"symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
|
||||
// https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud/Getting-Started/urls-to-whitelist-for-v129099891-d4155e9710.html
|
||||
var domains_symantec = []Pair{
|
||||
{"liveupdate.symantec.com", 3600},
|
||||
{"liveupdate.symantecliveupdate.com", 600},
|
||||
{"shasta-rrs.symantec.com", 1800},
|
||||
{"ent-shasta-rrs.symantec.com", 1800},
|
||||
{"ent-shasta-mr-clean.symantec.com", 1800},
|
||||
{"symantec.com", 600},
|
||||
{"sp.cwfservice.net", 600},
|
||||
{"us.spoc.securitycloud.symantec.com", 600},
|
||||
{"eu.spoc.securitycloud.symantec.com", 600},
|
||||
{"in.spoc.securitycloud.symantec.com", 3600},
|
||||
{"telemetry.broadcom.com", 3600},
|
||||
{"tses.broadcom.com", 30},
|
||||
{"central.b6.crsi.symantec.com", 1800},
|
||||
{"central.ss.crsi.symantec.com", 1800},
|
||||
{"central.nrsi.symantec.com", 1800},
|
||||
{"central.avsi.symantec.com", 1800},
|
||||
{"central.crsi.symantec.com", 1800},
|
||||
{"shasta-mrs.symantec.com", 1800},
|
||||
{"shasta-clt.symantec.com", 1800},
|
||||
{"stnd-avpg.crsi.symantec.com", 1800},
|
||||
{"avs-avpg.crsi.symantec.com", 1800},
|
||||
{"stnd-ipsg.crsi.symantec.com ", 1800},
|
||||
{"bash-avpg.crsi.symantec.com", 1800},
|
||||
{"tus1gwynwapex01.symantec.com", 3600},
|
||||
{"pod.threatpulse.com", 120},
|
||||
{"faults.qalabs.symantec.com", 1800},
|
||||
{"faults.symantec.com", 1800},
|
||||
{"linux-repo-us.securityalliance.cloud", 86400},
|
||||
{"usea1.r3.securitycloud.symantec.com", 3600},
|
||||
{"euws1.r3.securitycloud.symantec.com", 3600},
|
||||
{"inso1.r3.securitycloud.symantec.com", 3600},
|
||||
{"datafeedapi.symanteccloud.com", 300},
|
||||
{"us.spoc.securitycloud.symantec.com", 600},
|
||||
{"eu.spoc.securitycloud.symantec.com ", 600},
|
||||
{"in.spoc.securitycloud.symantec.com", 3600},
|
||||
{"uploads.sep.securitycloud.symantec.com", 3600},
|
||||
{"uploads.sep.eu.securitycloud.symantec.com ", 3600},
|
||||
{"uploads.sep.in.securitycloud.symantec.com", 3600},
|
||||
{"ws.securitycloud.symantec.com", 600},
|
||||
{"bds.securitycloud.symantec.com", 600},
|
||||
{"ws.eu.securitycloud.symantec.com", 3600},
|
||||
{"bds.eu.securitycloud.symantec.com", 3600},
|
||||
{"ws.in.securitycloud.symantec.com ", 3600},
|
||||
{"bds.in.securitycloud.symantec.com", 3600},
|
||||
{"cdn.sepmobile.securitycloud.symantec.com", 300},
|
||||
{"mitm.sepmobile.securitycloud.symantec.com", 300},
|
||||
{"services-prod.symantec.com", 600},
|
||||
{"sep.securitycloud.symantec.com", 3600},
|
||||
{"sep.eu.securitycloud.symantec.com", 3600},
|
||||
{"sep.in.securitycloud.symantec.com", 3600},
|
||||
{"avagoext.okta.com", 300},
|
||||
{"accounts.saas.broadcomcloud.com", 3600},
|
||||
{"api.sep.securitycloud.symantec.com", 86400},
|
||||
{"api.sep.eu.securitycloud.symantec.com", 3600},
|
||||
{"api.sep.in.securitycloud.symantec.com", 3600},
|
||||
{"knowledge.broadcom.com", 3600},
|
||||
{"support.broadcom.com", 300},
|
||||
{"casupport.broadcom.com", 300},
|
||||
{"login.broadcom.com", 3600},
|
||||
{"ced.broadcom.com", 3600},
|
||||
{"ratings-wrs.symantec.com", 3600},
|
||||
{"api-gateway.symantec.com", 3600},
|
||||
{"swupdate.brightmail.com", 3600},
|
||||
{"licensing.dmas.symantec.com", 3600},
|
||||
{"api.us.dmas.symantec.com", 300},
|
||||
{"api.eu.dmas.symantec.com", 300},
|
||||
}
|
||||
|
||||
// Tanium
|
||||
"docs-es.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
|
||||
"prd-us-1-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
|
||||
"docs-ko.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
|
||||
"tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
|
||||
"prd-int.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
|
||||
"shared.prd-int.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
|
||||
"prd.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
|
||||
"jp.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
|
||||
"docs-fr.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
|
||||
"shared.prd-us-1-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
|
||||
"shared.prd-us-1.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
|
||||
"prd-int-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 900},
|
||||
"prd-us-1.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
|
||||
"shared.prd-int-manage.mdm.cloud.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},
|
||||
var domains_tanium = []Pair{
|
||||
{"content.tanium.com", 300},
|
||||
{"docs-es.tanium.com", 300},
|
||||
{"docs-fr.tanium.com", 300},
|
||||
{"tanium.com", 300},
|
||||
{"go2.tanium.com", 300},
|
||||
{"learn.tanium.com", 300},
|
||||
{"som.cloud.tanium.com", 60},
|
||||
{"download.tanium.com", 300},
|
||||
{"fnf-api.cloud.tanium.com", 60},
|
||||
{"community.tanium.com", 300},
|
||||
{"3.distribute.cloud.tanium.com", 300},
|
||||
{"content.tanium.com", 300},
|
||||
{"help.tanium.com", 300},
|
||||
{"docs.tanium.com", 300},
|
||||
{"moveit.tanium.com", 300},
|
||||
{"kb.tanium.com", 300},
|
||||
}
|
||||
|
||||
// Aurora
|
||||
// https://aurora-agent-manual.nextron-systems.com/en/latest/usage/upgrade-and-updates.html
|
||||
"update-aurora.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
|
||||
"update-102.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
|
||||
"update-202.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
|
||||
"update-201.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
|
||||
"update-lite.nextron-systems.com": DomInfo{Vendor: "Nextron Aurora", TTL: 60},
|
||||
var domains_aurora = []Pair{
|
||||
{"update-aurora.nextron-systems.com", 60},
|
||||
{"update-102.nextron-systems.com", 60},
|
||||
{"update-202.nextron-systems.com", 60},
|
||||
{"update-201.nextron-systems.com", 60},
|
||||
{"update-lite.nextron-systems.com", 60},
|
||||
}
|
||||
|
||||
// Trend Micro
|
||||
// https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-(consolidated-mode)-53-online-help-service-addresses-an_002
|
||||
// https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/
|
||||
"xdr.trendmicro.co.jp": DomInfo{Vendor: "Trend Micro", TTL: 60},
|
||||
"files.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
|
||||
"api.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
|
||||
"cloudone.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
|
||||
"ddd53-p.activeupdate.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
|
||||
"trenddefense.com": DomInfo{Vendor: "Trend Micro", TTL: 300},
|
||||
"threatconnect.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
|
||||
"api.sg.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
|
||||
"trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
|
||||
"api.jp.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
|
||||
"api.eu.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
|
||||
"docs.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
|
||||
"api.us.nacloud.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
|
||||
"ddd53-threatconnect.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
|
||||
"licenseupdate.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 1800},
|
||||
"xdr.trendmicro.com": DomInfo{Vendor: "Trend Micro", TTL: 60},
|
||||
var domains_trendmicro = []Pair{
|
||||
{"xdr.trendmicro.co.jp", 60},
|
||||
{"files.trendmicro.com", 1800},
|
||||
{"api.nacloud.trendmicro.com", 60},
|
||||
{"cloudone.trendmicro.com", 60},
|
||||
{"ddd53-p.activeupdate.trendmicro.com", 1800},
|
||||
{"trenddefense.com", 300},
|
||||
{"threatconnect.trendmicro.com", 1800},
|
||||
{"api.sg.nacloud.trendmicro.com", 60},
|
||||
{"trendmicro.com", 1800},
|
||||
{"api.jp.nacloud.trendmicro.com", 60},
|
||||
{"api.eu.nacloud.trendmicro.com", 60},
|
||||
{"docs.trendmicro.com", 1800},
|
||||
{"api.us.nacloud.trendmicro.com", 60},
|
||||
{"ddd53-threatconnect.trendmicro.com", 1800},
|
||||
{"licenseupdate.trendmicro.com", 1800},
|
||||
{"xdr.trendmicro.com", 60},
|
||||
}
|
||||
|
||||
// Rapid7 InsightIDR
|
||||
// https://docs.rapid7.com/insightidr/ports-used-by-insightidr
|
||||
"data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 60},
|
||||
"us2.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30},
|
||||
"us3.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30},
|
||||
"eu.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30},
|
||||
"ca.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30},
|
||||
"au.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30},
|
||||
"ap.data.insight.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 30},
|
||||
"endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300},
|
||||
"us2.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300},
|
||||
"us3.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300},
|
||||
"eu.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300},
|
||||
"ca.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300},
|
||||
"au.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300},
|
||||
"ap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 300},
|
||||
"us.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
|
||||
"us.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
|
||||
"us2.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
|
||||
"us2.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
|
||||
"us3.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
|
||||
"us3.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
|
||||
"eu.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
|
||||
"eu.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
|
||||
"ca.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
|
||||
"ca.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
|
||||
"au.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
|
||||
"au.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
|
||||
"ap.storage.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
|
||||
"ap.bootstrap.endpoint.ingress.rapid7.com": DomInfo{Vendor: "Rapid7 InsightIDR", TTL: 86400},
|
||||
var domains_rapid7 = []Pair{
|
||||
{"data.insight.rapid7.com", 60},
|
||||
{"us2.data.insight.rapid7.com", 30},
|
||||
{"us3.data.insight.rapid7.com", 30},
|
||||
{"eu.data.insight.rapid7.com", 30},
|
||||
{"ca.data.insight.rapid7.com", 30},
|
||||
{"au.data.insight.rapid7.com", 30},
|
||||
{"ap.data.insight.rapid7.com", 30},
|
||||
{"endpoint.ingress.rapid7.com", 300},
|
||||
{"us2.endpoint.ingress.rapid7.com", 300},
|
||||
{"us3.endpoint.ingress.rapid7.com", 300},
|
||||
{"eu.endpoint.ingress.rapid7.com", 300},
|
||||
{"ca.endpoint.ingress.rapid7.com", 300},
|
||||
{"au.endpoint.ingress.rapid7.com", 300},
|
||||
{"ap.endpoint.ingress.rapid7.com", 300},
|
||||
{"us.storage.endpoint.ingress.rapid7.com", 86400},
|
||||
{"us.bootstrap.endpoint.ingress.rapid7.com", 86400},
|
||||
{"us2.storage.endpoint.ingress.rapid7.com", 86400},
|
||||
{"us2.bootstrap.endpoint.ingress.rapid7.com", 86400},
|
||||
{"us3.storage.endpoint.ingress.rapid7.com", 86400},
|
||||
{"us3.bootstrap.endpoint.ingress.rapid7.com", 86400},
|
||||
{"eu.storage.endpoint.ingress.rapid7.com", 86400}, // not certain
|
||||
{"eu.bootstrap.endpoint.ingress.rapid7.com", 86400}, // not certain
|
||||
{"ca.storage.endpoint.ingress.rapid7.com", 86400},
|
||||
{"ca.bootstrap.endpoint.ingress.rapid7.com", 86400},
|
||||
{"au.storage.endpoint.ingress.rapid7.com", 86400},
|
||||
{"au.bootstrap.endpoint.ingress.rapid7.com", 86400},
|
||||
{"ap.storage.endpoint.ingress.rapid7.com", 86400},
|
||||
{"ap.bootstrap.endpoint.ingress.rapid7.com", 86400},
|
||||
}
|
||||
|
14
go.mod
14
go.mod
@ -1,11 +1,13 @@
|
||||
module patdown
|
||||
|
||||
go 1.21.0
|
||||
go 1.22.6
|
||||
|
||||
require github.com/miekg/dns v1.1.62
|
||||
|
||||
require (
|
||||
github.com/miekg/dns v1.1.57 // indirect
|
||||
golang.org/x/mod v0.12.0 // indirect
|
||||
golang.org/x/net v0.17.0 // indirect
|
||||
golang.org/x/sys v0.13.0 // indirect
|
||||
golang.org/x/tools v0.13.0 // indirect
|
||||
golang.org/x/mod v0.18.0 // indirect
|
||||
golang.org/x/net v0.27.0 // indirect
|
||||
golang.org/x/sync v0.7.0 // indirect
|
||||
golang.org/x/sys v0.22.0 // indirect
|
||||
golang.org/x/tools v0.22.0 // indirect
|
||||
)
|
||||
|
22
go.sum
22
go.sum
@ -1,10 +1,12 @@
|
||||
github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
|
||||
github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
|
||||
golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
|
||||
golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
|
||||
golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
|
||||
golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
|
||||
golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
|
||||
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
|
||||
golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
|
||||
github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
|
||||
github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
|
||||
golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
|
||||
golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
|
||||
golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
|
||||
golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
|
||||
golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
|
||||
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
|
||||
golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
|
||||
golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
|
||||
golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
|
||||
golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
|
||||
|
Loading…
Reference in New Issue
Block a user