aholzel / sa-dmarc Goto Github PK

The indexed fields for my default TA-dmarc installation are not aligning with the SA-dmarc dashboard queries. As an example my events have fields like (primarily most everything is under the "feedback" key):

feedback{}.policy_published.adkim
feedback{}.policy_published.aspf
feedback{}.policy_published.domain
feedback{}.policy_published.fo
feedback{}.policy_published.p
feedback{}.policy_published.pct
feedback{}.policy_published.sp

for which the fields be searched are "published_adkim", "published_p", "published_aspf", etc.

For each call to 'nslookup' for A type records, there should also be a call for 'AAAA' type records to get any ipv6 addresses related to the host.

See pull request to fix this:
#7

The eval for spf_dmarc uses spf_domain which is not set. Changed this with spf_domain_1.
This issue had impact on mail subdomains.

Splunk will not match a IP address with an IP address in spf_mailservers.csv as an IP-address is not a CIDR value. I case an IP address is found ("ip4:") in the spf record the value written to the csv file should be postfixed with "/32" to make a CIDR value.

Hi @aholzel ,
can you clarify me something please. I have my app setup and running, however i have some issues.

• The lookups (dmarc_email_domains.csv and spf_resolving_filters.csv) are not beeing populated.
• All my SPF alligments in the overview dashboard are unaligned.

steps I did:
I've enabled the
I've downloaded SA-CIM and added my domain to the lookup cim_corporate_email_domains.csv
Now, running the following:
|dmarc_domains("domain, spf_lookup_script")``
I have table with my domain, and spf_lookup_script=false.
The dmarc_spf_check.py is running but it seems not doing nothing, as I only have this output on the logs:
2020-08-20 17:40:00,297 loglevel=DEBUG file=dmarc_spf_check.py line=63 message="Splunk SessionKey provided by stdin" 2020-08-20 17:45:00,335 loglevel=DEBUG file=dmarc_spf_check.py line=63 message="Splunk SessionKey provided by stdin" 2020-08-20 17:50:00,310 loglevel=DEBUG file=dmarc_spf_check.py line=63 message="Splunk SessionKey provided by stdin" 2020-08-20 17:55:00,298 loglevel=DEBUG file=dmarc_spf_check.py line=63 message="Splunk SessionKey provided by stdin" 2020-08-20 18:00:00,270 loglevel=DEBUG file=dmarc_spf_check.py line=63 message="Splunk SessionKey provided by stdin"

Can you tell me what I might be doing wrong?

On resolving mx records some ip-address can be found. If those are appended to the list the function will consider them 'Unknown' records. The recognise them as an ip-address, they can be prefixed with 'ip4:' and they will be correctly handled.

Hi,

I am trying to install the released version on Splunk Cloud but receiving vetting rejected.
Can you please advise on these issue?

[ Failure Summary ]
Failures will block the Cloud Vetting. They must be fixed.
check_for_bin_files
This file has execute permissions for owners, groups, or others. File: logs/SA-dmarc.log
This file has execute permissions for owners, groups, or others. File: default/data/ui/views/dmarc_overview.xml
This file has execute permissions for owners, groups, or others. File: lookups/spf_resolving_filter.csv
This file has execute permissions for owners, groups, or others. File: CHANGELOG.md
This file has execute permissions for owners, groups, or others. File: default/data/ui/views/spf_resolving.xml
This file has execute permissions for owners, groups, or others. File: LICENSE
This file has execute permissions for owners, groups, or others. File: default/savedsearches.conf
This file has execute permissions for owners, groups, or others. File: lookups/spf_mailservers.csv
This file has execute permissions for owners, groups, or others. File: default/data/ui/nav/default.xml
This file has execute permissions for owners, groups, or others. File: default/transforms.conf
This file has execute permissions for owners, groups, or others. File: default/sa-dmarc.conf
This file has execute permissions for owners, groups, or others. File: default/app.conf
This file has execute permissions for owners, groups, or others. File: default/data/ui/views/rfc_info_dmarc.xml
This file has execute permissions for owners, groups, or others. File: default/data/ui/views/dmarc_mails_by_source_results.xml
This file has execute permissions for owners, groups, or others. File: default/inputs.conf
This file has execute permissions for owners, groups, or others. File: metadata/default.meta
This file has execute permissions for owners, groups, or others. File: default/data/ui/views/rfc_info_spf.xml
This file has execute permissions for owners, groups, or others. File: lookups/dmarc_email_domains.csv
This file has execute permissions for owners, groups, or others. File: default/macros.conf
This file has execute permissions for owners, groups, or others. File: default/props.conf
This file has execute permissions for owners, groups, or others. File: README.md
This file has execute permissions for owners, groups, or others. File: default/data/ui/views/dmarc_cluster_map.xml
This file has execute permissions for owners, groups, or others. File: default/data/ui/views/dmarc_and_spf_dns_help.xml
check_for_compiled_python
A Compiled Python file was detected. File: bin/splunklib/pycache/binding.cpython-37.pyc
A Compiled Python file was detected. File: bin/splunklib/pycache/init.cpython-37.pyc
A Compiled Python file was detected. File: bin/splunklib/pycache/six.cpython-37.pyc
A Compiled Python file was detected. File: bin/splunklib/pycache/data.cpython-37.pyc
A Compiled Python file was detected. File: bin/splunklib/pycache/client.cpython-37.pyc
check_that_directory_name_matches_package_id
The app.conf [package] stanza does not exist. Please disable check_for_updates or set the id property in the [package] stanza. File: default/app.conf
check_reload_trigger_for_all_custom_confs
App contains custom conf(s) ['sa-dmarc.conf'] but does not have a [triggers] stanza in app.conf. Without a reload trigger the app will request a restart on any change to the conf file, which may be a negative experience for end-users.
check_simplexml_standards_version
Change the version attribute in the root node of your Simple XML dashboard default/data/ui/views/dmarc_mails_by_source_results.xml to <version=1.1>. Earlier dashboard versions introduce security vulnerabilities into your apps and are not permitted in Splunk Cloud File: default/data/ui/views/dmarc_mails_by_source_results.xml
Change the version attribute in the root node of your Simple XML dashboard default/data/ui/views/dmarc_and_spf_dns_help.xml to <version=1.1>. Earlier dashboard versions introduce security vulnerabilities into your apps and are not permitted in Splunk Cloud File: default/data/ui/views/dmarc_and_spf_dns_help.xml
Change the version attribute in the root node of your Simple XML dashboard default/data/ui/views/dmarc_overview.xml to <version=1.1>. Earlier dashboard versions introduce security vulnerabilities into your apps and are not permitted in Splunk Cloud File: default/data/ui/views/dmarc_overview.xml
Change the version attribute in the root node of your Simple XML dashboard default/data/ui/views/spf_resolving.xml to <version=1.1>. Earlier dashboard versions introduce security vulnerabilities into your apps and are not permitted in Splunk Cloud File: default/data/ui/views/spf_resolving.xml
Change the version attribute in the root node of your Simple XML dashboard default/data/ui/views/rfc_info_spf.xml to <version=1.1>. Earlier dashboard versions introduce security vulnerabilities into your apps and are not permitted in Splunk Cloud File: default/data/ui/views/rfc_info_spf.xml
Change the version attribute in the root node of your Simple XML dashboard default/data/ui/views/dmarc_cluster_map.xml to <version=1.1>. Earlier dashboard versions introduce security vulnerabilities into your apps and are not permitted in Splunk Cloud File: default/data/ui/views/dmarc_cluster_map.xml
Change the version attribute in the root node of your Simple XML dashboard default/data/ui/views/rfc_info_dmarc.xml to <version=1.1>. Earlier dashboard versions introduce security vulnerabilities into your apps and are not permitted in Splunk Cloud File: default/data/ui/views/rfc_info_dmarc.xml

For mx-records there is handling for multiple results. The same should apply for the lookup of 'a' records as there also multiple addresses can be returned. Currently the function only seems to use the second address returned.

Hello everyone,

I used this SA and it is working quite well ! Thank you for this huge project !

I would like to know, if it is possible to, in the view "DMARC overview" to have two new multiselect values which will allow to select DKIM Allignment and SPF Allignment (these 2 fields are calculated and printed as columns in the second search of the view) but it is not possible yet to filter with as tokens.

I spent several hours to reach what I am asking now without success.

If anyone have any idea/xml to import.

Thank you in advance :)