snort (SID 43687) blocks root DNS servers ?!

chudak

@nogbadthebad said in snort (SID 43687) blocks root DNS servers ?!:

blahblahblah.top

what's "blahblahblah.top" ? and BTW I did disable SIDs as otherwise all DNS blocked

NogBadTheBad

@chudak said in snort (SID 43687) blocks root DNS servers ?!:

@nogbadthebad said in snort (SID 43687) blocks root DNS servers ?!:

blahblahblah.top

what's "blahblahblah.top" ? and BTW I did disable SIDs as otherwise all DNS blocked

it's just some random FQDN to trigger snort.

chudak

It looks like
"1:43687 INDICATOR-COMPROMISE Suspicious .top dns query"

NogBadTheBad

@chudak

Exactly, to ping the host it firstly needs to get the IP address.

chudak

So far it looks like we got no reasonable explanations on what is going on :(

NogBadTheBad

Yes you have, a device on your network is trying to resolve a suspicious TLD.

If you don’t like what snort is blocking disable the rule that’s triggered the alert.

chudak

@nogbadthebad said in snort (SID 43687) blocks root DNS servers ?!:

Yes you have, a device on your network is trying to resolve a suspicious TLD!

Why do you say "suspicious" vs legit ?

Does this look suspicious to you?

192.5.5.241 which resolves to f.root-servers.net

NogBadTheBad

The .topTLD does.

https://www.spamhaus.org/statistics/tlds/

Re read the following:-

https://www.snort.org/rule_docs/1-43687

It’s not what up the DNS query is being sent to, it’s what is being queried.

chudak

The end result 192.5.5.241 IP gets blocked.

So how do you resolve this issue then ?

I see sometimes with Sid 1-43687 enabled that none of my PCs can resolve any names and even 8.8.8.8 gets blocked!

NogBadTheBad

You need to figure out what host is querying the .top TLD maybe increase the logging level of DNS lookups in pfSense.

Do you just run snort on the WAN interface?

chudak

@nogbadthebad Yes this is on WAN

All queries coming from the pfSense router itself and I force all clients to use pfSense router DNS only.

NogBadTheBad

Enable snort on the LAN as well, you’ll see the host pre NAT.

Otherwise you just see the WAN address.

chudak

@nogbadthebad said in snort (SID 43687) blocks root DNS servers ?!:

Enable snort on the LAN as well, you’ll see the host pre NAT.

Otherwise you just see the WAN address.

I do have LAN enabled as well.
Looked thru logs with Destination IP 192.5.5.241 and found none.
Which is as I'd expect as no clients can do direct DNS queries.

???

NogBadTheBad

Ah I wonder if your not seeing it on the LAN as the source and destination are contained in $HOME_NET

Maybe change the logging level in the DNS Resolver advanced settings.

NogBadTheBad

Date	Pri	Proto	Class	Source IP	SPort	Destination IP	DPort	SID	Description
2018-07-03
22:35:13	2	UDP	Potentially Bad Traffic	172.16.2.20
  	62541	172.16.2.1
  	53	1:2023883
  	ET DNS Query to a *.top domain - Likely Hostile

But I'm using the ET DNS ruleset.

NogBadTheBad

This post is deleted!

chudak

@nogbadthebad what command did you run to get it? via ssh assuming?

PS: I did change log level to "Query level information" and re-enabled all rules

NogBadTheBad

You mean the txt that says ET DNS Query to a *.top domain - Likely Hostile ?

If so that was from Services -> Snort-> Alerts

chudak

@nogbadthebad
OK

I don't see anything yet on LAN, all only on WAN.

Let's wait :)

NogBadTheBad

@chudak said in snort (SID 43687) blocks root DNS servers ?!:

@nogbadthebad
OK

I don't see anything yet on LAN, all only on WAN.

Let's wait :)