• Forums
    • Public Forums
      • Community Connect
      • Dynatrace
        • Dynatrace Open Q&A
      • Application Monitoring & UEM
        • AppMon & UEM Open Q&A
      • Network Application Monitoring
        • NAM Open Q&A
  • Home /
  • Public Forums /
  • Dynatrace /
  • Dynatrace Open Q&A /
avatar image
Question by Greg B. · Oct 29, 2014 at 08:11 PM · auto-detection

Rogue applications?

Hi,

I have several applications listing in my monitoring that I would not necessarily consider mine (like bing.com, google.com etc). How are those detected? Are they from links on a configured application?

Comment

People who like this

0 Show 0
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

5 Replies

  • Sort: 
  • Most voted
  • Newest
  • Oldest
avatar image
Best Answer

Answer by Alexander S. · Oct 30, 2014 at 08:36 AM

Hi Greg,

Applications are detected either automatically by http headers or if the customer creates a detection rule by an URL pattern. The URL pattern rules are always considered first.

Auto detection (current version): By default ruxit checks the host, the x-forwarded-for or the x-host header for the "real" domain name - which is then used as the application name. Other headers could be defined in the global settings -> real user monitoring -> applications, look for "Identify domain names using HTTP request headers".

If ruxit picks up a new header value (new domain) it makes some checks before the application will be treated as application candidate, here are some examples:

  • header must be valid according the specification
  • response code must be valid: 200
  • known robots and crawlers are ignored for new applications
  • and some more ...

When this checks are passed the new domain is an application candidate and the javascript tag will be injected. Only if a monitor signal from the javascript tag for that application is finding it's way to ruxit, then this application will be a real application and shows up in the list.

Previous versions: unfortunately we don't had all the additional checks in previous versions. So most of the "www.google.com" applications are because we did a bad job on the auto detection. These apps are created because someone has send to your IP a http request with "www.google.com" in the host header. This is done to check if there is an open proxy. More info: http://meatballwiki.org/wiki/OpenProxy

With one of the next releases we will clean up the application lists and will remove all this false detected applications. For now it is the best way to just disable real user monitoring for them. If you still see new "false" detected application, please send me a note or open a support ticket, so that we can take a closer look.

Alex

Comment
John R.

People who like this

1 Show 2 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image Safia H. ♦ · Nov 10, 2014 at 01:33 PM 0
Share

Hey Alex,

Will this cleanup even include the merging of www.domain-name.com and domain-name.com? I see that they are listed as two different applications now.

avatar image Alexander S. ♦ Safia H. ♦ · Nov 10, 2014 at 04:21 PM 0
Share

No, this is will not happen. If you don't have a redirect for either www.domain-name.com or domain-name.com (which should be done to eliminate the duplicated content problem with google) we will not merge these apps. If one of this hosts works with a redirect, we will not detect it as a separate application.

So without redirect you can create a custom rule matching the domain patter: domain-name.com.

avatar image

Answer by Greg B. · Nov 20, 2014 at 09:42 PM

it looks like the list is cleaned up now! unfortunately it also looks like the cleanup might have been too aggressive as a few of my real sites have also disappeared from the application list. what was the fix that was put in place for this? thanks!

Comment

People who like this

0 Show 1 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image Alexander S. ♦ · Nov 21, 2014 at 06:34 AM 0
Share

After 72 hours auto detected applications will be hidden, but with appear again immediately with the first user action.

avatar image

Answer by Mike G. · Oct 29, 2014 at 08:54 PM

Thanks Greg. We'll get you an answer. I'm sure this will benefit the whole community

Comment

People who like this

0 Show 1 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image Stefan S. · Oct 29, 2014 at 09:08 PM 0
Share

this might indicate a probe for an open proxy - e.g. apache. what happens is that a script asks the apache to retrieve a different page for it (in these cases google / bing ...)

If that's the case this would be visible in the webserver logs as failed requests to these sites.

Not sure if / how that can be disabled - will need R&D here.

avatar image

Answer by Greg B. · Oct 29, 2014 at 08:35 PM

yep, see attached. I had been disabling them and ignoring, but the last one showed up today and it looks like it might be a malware site, so trying to understand how the detection works (to see if we have an issue!)


capture.png (120.7 KiB)
Comment

People who like this

0 Show 0 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image

Answer by Mike G. · Oct 29, 2014 at 08:24 PM

@Greg Birdwell

Any chance you can attach a picture? I'm having a tough time envisioning what you are describing.

Thanks!

Comment

People who like this

0 Show 0 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

How to get started

First steps in the forum
Read Community User Guide
Best practices of using forum

NAM 2019 SP5 is available


Check the RHEL support added in the latest NAM service pack.

Learn more

LIVE WEBINAR

"Performance Clinic - Monitoring as a Self Service with Dynatrace"


JANUARY 15, 3:00 PM GMT / 10:00 AM ET

Register here

Follow this Question

Answers Answers and Comments

18 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Would Agentless Monitoring Conflict with Standard Monitoring (OneAgent standard installation in web server)?

Monitoring Oracle Unified Directory & Oracle Internet Directory

OneAgent not capturing the User sessions?

Custom Service Detection based on Java Annotation

OneAgent does not see haproxy (socket mode stats)

Forum Tags

mobile monitoring dotnet iis chat kubernetes servicenow amazon web services feedback mysql mainframe application rules rest api cassandra dashboard oneagent sdk cmc application monitoring openkit smartscape request attributes monitoring developer community user tagging log monitoring services ufo activegate auto-detection high five award uem webserver usql iib test automation license ios news migration management zones ibm mq web services notifications sso host monitoring knowledge sharing reports browser monitors java hybris sap vmware maintenance window user action naming javascript appmon ai availability tipstricks automation extensions diagnostic tools session replay permissions search davis assistant auto-update faq documentation problem detection http monitors easytravel apdex network docker tags and metadata cloud foundry google cloud platform synthetic monitoring process groups account usability dynatrace saas gui paas openshift key user actions administration production user actions postgresql synthetic locations upgrade oneagent security Dynatrace Managed user management python technologies mongodb openstack user session monitoring continuous delivery citrix configuration alerting performance monitoring NGINX action naming linux nam installation error reporting database mission control apache mobileapp RUM php azure purepath davis scripting aix nodejs android
  • Forums
  • Public Forums
    • Community Connect
    • Dynatrace
      • Dynatrace Open Q&A
    • Application Monitoring & UEM
      • AppMon & UEM Open Q&A
    • Network Application Monitoring
      • NAM Open Q&A