Troubleshooting issues with the Dirty Line on Malware Analysis appliances
Last Updated September 18, 2017
Noticed that the IVM uses the back end interface settings instead of dirty line for task processing
Running URL task processing for 'whaismyip.com' shows error in reaching to destination server
Have configured the dirty line but need to know if it is using the dirty line for task processing
Make sure the Firewall configuration settings is set to Limited to both Active and URL submissions.
Use eth1 for the interface name of dirty line interface and make sure to not change this setting to another interface.
Confirm that there are no IVM profile that is being customized. If so, rebuild the profile.
Make sure the default browser inside the IVM profile used for URL testing is not using proxy setting (proxy IP is in the same subnet with the back end IP).
Ensure that the external Firewall/router is not blocking the dirty interface from reaching out to Internet.
Note that when configuring via System Settings / Network / Internet Settings, the dirty line will only be used when executing samples or URLs and the Firewall selected for the task is not the isolated firewall. It is very helpful to know your external IP address for both the dirty line and back end internet connections when running these tests.
For testing you should use a web page URL that will show you your external IP address. This will both confirm connectivity and show you that the right internet connection is being used. To give you fast results without waiting time, do not send files to MAA via Security Analytics or the Content Analysis System or other automated methods.
This example uses http://checkip.dyndns.org for URL task processing:
Monitoring the dirty line connection
Connect to the MA Appliance via SSH using the g2 user.
i. Be sure to select the pre-configured "limited" firewall on the "basic" tab.
ii. Watch the tcpdump output in the ssh terminal. It should look like this:
root@mag2:~# tcpdump -vv -i eth1 | grep -i "dyndns.org"
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
192.168.1.100.56478 > google-public-dns-a.google.com.domain: [udp sum ok] 42001+ A? checkip.dyndns.org. (36)
google-public-dns-a.google.com.domain > 192.168.1.100.56478: [udp sum ok] 42001 q: A? checkip.dyndns.org. 4/0/0 checkip.dyndns.org. CNAME checkip.dyndns.com., checkip.dyndns.com. A 18.104.22.168, checkip.dyndns.com. A 22.214.171.124, checkip.dyndns.com. A 126.96.36.199 (116)
iii. When the task is complete, abort tcpdump using CTRL+C.
iv.. Check the task report. It should contain a screenshot with the external IP address.
v. If not getting the expected output, recheck the points provided in this solutions.
Please provide the support package from https://<MAA IP>/support
Imported Document ID: 000030468
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.