Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    snort (SID 43687) blocks root DNS servers ?!

    Scheduled Pinned Locked Moved IDS/IPS
    35 Posts 3 Posters 6.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudakC
      chudak @NogBadTheBad
      last edited by

      @nogbadthebad not sure what you mean...

      I did submit false positives for 43687 and 39867, but not sure what's next.

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        If you read the web page I linked, something on your network has tried to lookup something who's FQDN ends in .top

        Just to prove it do a ping blahblahblah.top from your pc.

        chudakC 1 Reply Last reply Reply Quote 0
        • chudakC
          chudak @NogBadTheBad
          last edited by

          @nogbadthebad said in snort (SID 43687) blocks root DNS servers ?!:

          blahblahblah.top

          what's "blahblahblah.top" ? and BTW I did disable SIDs as otherwise all DNS blocked

          NogBadTheBadN 1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad @chudak
            last edited by

            @chudak said in snort (SID 43687) blocks root DNS servers ?!:

            @nogbadthebad said in snort (SID 43687) blocks root DNS servers ?!:

            blahblahblah.top

            what's "blahblahblah.top" ? and BTW I did disable SIDs as otherwise all DNS blocked

            it's just some random FQDN to trigger snort.

            1 Reply Last reply Reply Quote 0
            • chudakC
              chudak
              last edited by

              It looks like
              "1:43687 INDICATOR-COMPROMISE Suspicious .top dns query"

              NogBadTheBadN 1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad @chudak
                last edited by

                @chudak

                Exactly, to ping the host it firstly needs to get the IP address.

                1 Reply Last reply Reply Quote 0
                • chudakC
                  chudak
                  last edited by

                  So far it looks like we got no reasonable explanations on what is going on :(

                  1 Reply Last reply Reply Quote 0
                  • NogBadTheBadN
                    NogBadTheBad
                    last edited by NogBadTheBad

                    Yes you have, a device on your network is trying to resolve a suspicious TLD.

                    If you don’t like what snort is blocking disable the rule that’s triggered the alert.

                    chudakC 1 Reply Last reply Reply Quote 0
                    • chudakC
                      chudak @NogBadTheBad
                      last edited by

                      @nogbadthebad said in snort (SID 43687) blocks root DNS servers ?!:

                      Yes you have, a device on your network is trying to resolve a suspicious TLD!

                      Why do you say "suspicious" vs legit ?

                      Does this look suspicious to you?

                      192.5.5.241 which resolves to f.root-servers.net

                      1 Reply Last reply Reply Quote 0
                      • NogBadTheBadN
                        NogBadTheBad
                        last edited by NogBadTheBad

                        The .topTLD does.

                        https://www.spamhaus.org/statistics/tlds/

                        Re read the following:-

                        https://www.snort.org/rule_docs/1-43687

                        It’s not what up the DNS query is being sent to, it’s what is being queried.

                        1 Reply Last reply Reply Quote 0
                        • chudakC
                          chudak
                          last edited by

                          The end result 192.5.5.241 IP gets blocked.

                          So how do you resolve this issue then ?

                          I see sometimes with Sid 1-43687 enabled that none of my PCs can resolve any names and even 8.8.8.8 gets blocked!

                          1 Reply Last reply Reply Quote 0
                          • NogBadTheBadN
                            NogBadTheBad
                            last edited by

                            You need to figure out what host is querying the .top TLD maybe increase the logging level of DNS lookups in pfSense.

                            Do you just run snort on the WAN interface?

                            chudakC 1 Reply Last reply Reply Quote 0
                            • chudakC
                              chudak @NogBadTheBad
                              last edited by

                              @nogbadthebad Yes this is on WAN

                              All queries coming from the pfSense router itself and I force all clients to use pfSense router DNS only.

                              1 Reply Last reply Reply Quote 0
                              • NogBadTheBadN
                                NogBadTheBad
                                last edited by

                                Enable snort on the LAN as well, you’ll see the host pre NAT.

                                Otherwise you just see the WAN address.

                                chudakC 1 Reply Last reply Reply Quote 0
                                • chudakC
                                  chudak @NogBadTheBad
                                  last edited by

                                  @nogbadthebad said in snort (SID 43687) blocks root DNS servers ?!:

                                  Enable snort on the LAN as well, you’ll see the host pre NAT.

                                  Otherwise you just see the WAN address.

                                  I do have LAN enabled as well.
                                  Looked thru logs with Destination IP 192.5.5.241 and found none.
                                  Which is as I'd expect as no clients can do direct DNS queries.

                                  ???

                                  NogBadTheBadN 1 Reply Last reply Reply Quote 0
                                  • NogBadTheBadN
                                    NogBadTheBad @chudak
                                    last edited by NogBadTheBad

                                    Ah I wonder if your not seeing it on the LAN as the source and destination are contained in $HOME_NET

                                    Maybe change the logging level in the DNS Resolver advanced settings.

                                    1 Reply Last reply Reply Quote 0
                                    • NogBadTheBadN
                                      NogBadTheBad
                                      last edited by NogBadTheBad

                                      Date	Pri	Proto	Class	Source IP	SPort	Destination IP	DPort	SID	Description
                                      2018-07-03
                                      22:35:13	2	UDP	Potentially Bad Traffic	172.16.2.20
                                        	62541	172.16.2.1
                                        	53	1:2023883
                                        	ET DNS Query to a *.top domain - Likely Hostile
                                      

                                      But I'm using the ET DNS ruleset.

                                      chudakC 1 Reply Last reply Reply Quote 0
                                      • NogBadTheBadN
                                        NogBadTheBad
                                        last edited by

                                        This post is deleted!
                                        1 Reply Last reply Reply Quote 0
                                        • chudakC
                                          chudak @NogBadTheBad
                                          last edited by

                                          @nogbadthebad what command did you run to get it? via ssh assuming?

                                          PS: I did change log level to "Query level information" and re-enabled all rules

                                          1 Reply Last reply Reply Quote 0
                                          • NogBadTheBadN
                                            NogBadTheBad
                                            last edited by

                                            You mean the txt that says ET DNS Query to a *.top domain - Likely Hostile ?

                                            If so that was from Services -> Snort-> Alerts

                                            chudakC 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.