(name not found)

[stanelie]

Possibly a user error, but I am running both pi.alert and NetAlertX on the same network to evaluate both, and I find I like the features of NetAlertX better, but the name recognition of pi.alert is better.

For example, a Windows device gets it's proper name in pi.alert, but I get (name not found) in NetAlertX, with the default scanning engine ON and Pholus.

What am I doing wrong?

[jokob-sk]

Hi @stanelie ,

NetAlertX is running in a container, so some additional steps might be needed to get the name discovery working. Please check the following docs:

https://github.com/jokob-sk/NetAlertX/blob/main/docs/REVERSE_DNS.md

If the issue is specifically related to Windows devices, try enabling NBTSCAN and NSLOOKUP as they might help with discovering names of Windows devices.

[stanelie]

I am unable to find the docker-compose.yml file on the system where I installed the NetAlertX docker container. Where is this file located?

[stanelie]

I found this helpful bug report with instructions on how to use the docker-compose-yml file for people unfamiliar with it, like me.
#765
Maybe this should be included in the documentation.

However, I am running into an issue :
unable to start container process: error during container init: error mounting "/home/netalertx/compose/config/resolv.conf" to rootfs at "/etc/resolv.conf": mount /home/netalertx/compose/config/resolv.conf:/etc/resolv.conf (via /proc/self/fd/6), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

I am using the line provided in the documentation :
- ./config/resolv.conf:/etc/resolv.conf

Thoughts?

[stanelie]

I fixed it using a distinct resolv.conf that I put in the config directory, instead of having the docker-compose.yml file point to my /etc/resolv.conf file, as per the documentation. My setup didn't like it.

My current line in docker-compose.yml is
- ./config/resolv.conf:/home/netalertx/resolv.conf

[stanelie]

Update :
I had everything backwards in the docker-compose.yml file.
Here is my current, working docker-compose.yml :

version: "3"
services:
  netalertx:
    container_name: netalertx
    image: "jokobsk/netalertx:latest"
    restart: unless-stopped
    volumes:
      -  /home/netalertx/config:/app/config
      -  /home/netalertx/db:/app/db
      -  /home/netalertx/log:/app/front/log
      -  /home/netalertx/config/resolv.conf:/etc/resolv.conf
    environment:
      - TZ=America/Montreal
      - PORT=80
    ports:
      - "80:80"
    network_mode: host

I will come back here with results concerning the name resolution now that I have a correctly configured resolv.conf file.

[stanelie]

Well,
It didn't work. On pi.alert, a newly connected device got its hostname properly labeled, while I got (name not found) on NetAlertX.
What else can I try?

[jokob-sk]

Hi there,

Can you please confirm that you have enabled the NBTSCAN and NSLOOKUP plugins?

If yes, can you please enable debug and post your log?

[stanelie]

Both plugins are enabled.

Which log do you require? Also, how do I send it to you? I'd rather not post the whole thing here, some info in there is sensitive.
Thanks!

[jokob-sk]

Hi @stanelie ,

Thanks for the logs! You can also send them to netalertx@gmail.com in future.

It seems none of the name recognition plugins seem to return any results.

Can you try to ssh into the container and run the following command?

To ssh into a container run this command on the host (netalertx is the container name):

1. SSH into the container
   sudo docker exec -it netalertx /bin/bash
2. Run this command
   nslookup <IP of Linux host>

This is how the result should look like:

jokob@Synology-NAS:$ sudo docker exec -it netalertx /bin/bash
Password: 
Synology-NAS:/# nslookup 192.168.1.58
58.1.168.192.in-addr.arpa       name = ubuntu.localdomain.

Synology-NAS:/# 

3. Run command nbtscan <IP of win host>

This is how the result should look like:

Synology-NAS:/# nbtscan 192.168.1.121
Doing NBT name scan for addresses from 192.168.1.121

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.1.121    DESKTOP-DIHOG0E  <server>  <unknown>        <mac>
Synology-NAS:/# 

If results are empty then something might prevent these scans to be executed from teh container. Can you re-post your docker-compose file?

Could you also please share your /resolv.conf file? I would try removing from your docker-compose as a test as well.

[stanelie]

Hello.
The docker-compose.yml file is still the same :

version: "3"
services:
  netalertx:
    container_name: netalertx
    image: "jokobsk/netalertx:latest"
    restart: unless-stopped
    volumes:
      -  /home/netalertx/config:/app/config
      -  /home/netalertx/db:/app/db
      -  /home/netalertx/log:/app/front/log
      -  /home/netalertx/config/resolv.conf:/etc/resolv.conf
    environment:
      - TZ=America/Montreal
      - PORT=80
    ports:
      - "80:80"
    network_mode: host

I am getting answers from the local 127.0.0.53 address, not from the address I configured in my resolv.conf file.

selie@netalertx:~$ nslookup caserne1.caserne
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	caserne1.caserne
Address: 10.8.0.17

Here is my resolv.conf :

nameserver 10.8.0.1
nameserver 10.8.0.17
options edns0 trust-ad
search .

What else can I do to make the container obey the resolv.conf file?

[jokob-sk]

Hey @stanelie ,

According to ChatGPT you can try the following:

services:
  netalertx:
    container_name: netalertx
    image: "jokobsk/netalertx:latest"
    restart: unless-stopped
    volumes:
      -  /home/netalertx/config:/app/config
      -  /home/netalertx/db:/app/db
      -  /home/netalertx/log:/app/front/log
      -  /home/netalertx/config/resolv.conf:/etc/resolv.conf
    environment:
      - TZ=America/Montreal
      - PORT=80
    network_mode: host
    dns:
      - 10.8.0.1
      - 10.8.0.17

FYI you can remove this part as the container is running on host so port mapping is not required (maybe it could cause issues, but unlikely):

    ports:
      - "80:80"

[stanelie]

nslookup now works within the container.

I will wait a bit to see if I get better results from the scans.

Why is nbtscan not returning anything either?

[jokob-sk]

nbtscan only works on windows hosts - again, I'd recommend you to try step 3 from here in the container to confirm the command is working in the container environment in your setup:

#815 (comment)

[stanelie]

Sorry, I missed that 3rd step.
nbtscan run from within the container does return the correct hostnames.

[jokob-sk]

Could you please post the result and the latest app.log?

…

On Tue, 1 Oct 2024, 23:20 stanelie, ***@***.***> wrote: Sorry, I missed that 3rd step. nbtscan run from within the container does return the correct hostnames. — Reply to this email directly, view it on GitHub <#815 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AW5URDCZCKWWKSWSXUVZOI3ZZKOQXAVCNFSM6AAAAABPDDX25SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOBVHAYTENZZGM> . You are receiving this because you commented.Message ID: ***@***.***>

[stanelie]

File sent to your email address. Thanks!

[jokob-sk]

Hi @stanelie ,

Thanks for the file.

The log file shows that the names are indeed not resolved.

Can you please post the terminal log of when you perform the nbtscan in the container? Tehre might be afomatting issue preventing the parsing of the results.

[stanelie]

Hi.
Here is an example :

netalertx:/# nbtscan 10.8.0.19
Doing NBT name scan for addresses from 10.8.0.19

IP address       NetBIOS Name     Server    User             MAC address
------------------------------------------------------------------------------
10.8.0.19        TS               <server>  <unknown>        00:50:56:9c:b1:55

netalertx:/# nbtscan 10.8.0.17
Doing NBT name scan for addresses from 10.8.0.17

IP address       NetBIOS Name     Server    User             MAC address
------------------------------------------------------------------------------
10.8.0.17        CASERNE1         <server>  <unknown>        00:50:56:9c:23:cb

[jokob-sk]

Thanks for that,

I checked the IPs in the previously provided app.log and these IPs are not in the log, which means that these hosts are probably already recognized and their names logged:

0 results for:

[NBTSCAN] DEBUG OUTPUT : Doing NBT name scan for addresses from 10.8.0.17

0 results for:

[NBTSCAN] DEBUG OUTPUT : Doing NBT name scan for addresses from 10.8.0.19

Can you give me other examples of running the nbtscan command in the container, where a result is returned, but NetAlertX has no name assigned to the device?

Or, can you give me an example of an IP that had the name resolved in PiAlert but not in NetAlertX?

If you find such an <IP>, can you please try to run and post the results of an nbtscan <IP>, nslookup <IP> and dig +short -x <IP>? Example output:

Synology-NAS:/# dig +short -x 192.168.1.121
DESKTOP-DIHOG0E.localdomain.
Synology-NAS:/# nbtscan 192.168.1.121
Doing NBT name scan for addresses from 192.168.1.121

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.1.121    DESKTOP-DIHOG0E  <server>  <unknown>        2c:f0:5d:9e:73:2c
Synology-NAS:/# nslookup 192.168.1.121
121.1.168.192.in-addr.arpa      name = DESKTOP-DIHOG0E.localdomain.

You can also try increasing the Pholus plugin timeout (PHOLUS_RUN_TIMEOUT) duration, as it might be able to identify more devices this way (Pholus might be restarting during the run - please observe it when you run it manually - would be great to have an exception log if so - try starting the docker compose without the -d parameter to see an exception):

19:09:02 [Plugins] Convert to Base64: False
19:09:02 [Plugins] Timeout: 300
19:09:02 [Plugin utils] Pre-Resolved CMD: python3/app/front/plugins/pholus_scan/script.pyuserSubnets={subnets}timeoutSec={timeout}
19:09:02 [Plugins] Executing: python3 /app/front/plugins/pholus_scan/script.py userSubnets={subnets} timeoutSec={timeout}
19:09:02 [Plugins] Resolved : ['python3', '/app/front/plugins/pholus_scan/script.py', "userSubnets=b'MTAuOC4wLjAvMjMgLS1pbnRlcmZhY2U9ZW5zMTYw'", 'timeoutSec=300']
19:09:03 [MAIN] Setting up ...
19:09:03 [conf.tz] Setting up ...
19:09:03 
 <-🔴 Restart occurred here, but no exception logged
19:09:03 The backend restarted (started). If this is unexpected check https://bit.ly/NetAlertX_debug for troubleshooting tips.
19:09:03 

19:09:03 Permissions check (All should be True)
19:09:03 ------------------------------------------------

[stanelie]

I think it works now, I deleted a windows device and it got re-detected as a new device, and the hostname was filled correctly.

I will re-test with a non-windows device.

[stanelie]

I got one.

This machine 10.8.1.251 has a correct hostname ("Chunking-Express-3") in pi.alert, but is in NetAlertX

netalertx:/# nbtscan 10.8.1.251
Doing NBT name scan for addresses from 10.8.1.251

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
10.8.1.251       MACBOOKAIR-7892            <unknown>        14:7d:da:46:78:92
netalertx:/# nslookup 10.8.1.251
** server can't find 251.1.8.10.in-addr.arpa: NXDOMAIN

netalertx:/# dig +short -x 10.8.1.251
netalertx:/#

[stanelie]

Here is another one, correctly recognized on pi.alert as MacBook-Air-de-Virginie :

netalertx:/# nbtscan 10.8.0.230
Doing NBT name scan for addresses from 10.8.0.230

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
10.8.0.230       MACBOOKAIR-4EF8            <unknown>        7c:04:d0:ba:4e:f8
netalertx:/# nslookup 10.8.0.230
** server can't find 230.0.8.10.in-addr.arpa: NXDOMAIN
netalertx:/# dig +short -x 10.8.0.230
netalertx:/# 

NetAlertX shows the NetBIOS name instead of the actual hostname.

[leiweibau]

Hello,

I can't explain how NetAlertX works here, but I can make a statement about the way Pi.Alert works. The name resolution takes place in 3 steps. If one step leads to a result, the other steps are omitted.

1st step mDNS
2nd step DNS
3rd step NetBIOS

[stanelie]

mDNS is provided by the Bonjour protocol on Apple devices, correct? Since it comes first before Netbios, it explains why pi.alert gets the correct hostname and NetAlertX does not.

Does NetAlertX scan for mDNS hostnames?

[jokob-sk]

@leiweibau thanks a lot for the help!

@stanelie - can you try enabling the NMAPDEV plugin as well? Not sure if it will help, if not I can create a separate name discovery plugin for mDNS scans based on NMAP or avahi if that works. I looked into mdns-scan but it doesn't provide corresponding IP or MAC entries and doesn't support timeouts (Seems to be flooding the network as well).

[stanelie]

Hum.
I just noticed that nmapdev was enabled, as well as nmap. Maybe they are conflicting? I disabled nmap and I will see how that goes.

[stanelie]

I deleted a mac from NetAlertX and it was re-discovered, but it still shows the NetBIOS name instead of the real hostname, with nmapdev enabled.

[jokob-sk]

hey @stanelie , can you try to pull the latest netalertx-dev image and enable the AVAHISCAN plugin?

[stanelie]

I switched the line to
image: "jokobsk/netalertx-dev:latest"
in docker-compose.yml. I don't think this is correct, I do not see a AVAHISCAN plugin in the list.

What is the correct way to switch to the netalertx-dev image?

[stanelie]

Ah!
I did a docker-compose pull before restarting the container with docker-compose up -d, I am now running the -dev image, Avahi plugin is now available.

I am unfamiliar with Docker, sorry about that.

[jokob-sk]

You are doing great! There is some learning associated with docker, but it opens up a lot of possibilities 🙂 Let me know how the name discovery goes. Enable the plugin in LOADED_PLUGINS and adjust the settings where needed.

[stanelie]

Hello.
I can report that the hostname determination for mac devices is now a lot better.
Thanks a lot!

[jokob-sk]

@stanelie - thanks for the update and testing! :)

[jokob-sk]

released -> closing