Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    snort (SID 43687) blocks root DNS servers ?!

    Scheduled Pinned Locked Moved IDS/IPS
    35 Posts 3 Posters 6.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudakC
      chudak @NogBadTheBad
      last edited by

      @nogbadthebad said in snort (SID 43687) blocks root DNS servers ?!:

      blahblahblah.top

      what's "blahblahblah.top" ? and BTW I did disable SIDs as otherwise all DNS blocked

      NogBadTheBadN 1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad @chudak
        last edited by

        @chudak said in snort (SID 43687) blocks root DNS servers ?!:

        @nogbadthebad said in snort (SID 43687) blocks root DNS servers ?!:

        blahblahblah.top

        what's "blahblahblah.top" ? and BTW I did disable SIDs as otherwise all DNS blocked

        it's just some random FQDN to trigger snort.

        1 Reply Last reply Reply Quote 0
        • chudakC
          chudak
          last edited by

          It looks like
          "1:43687 INDICATOR-COMPROMISE Suspicious .top dns query"

          NogBadTheBadN 1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad @chudak
            last edited by

            @chudak

            Exactly, to ping the host it firstly needs to get the IP address.

            1 Reply Last reply Reply Quote 0
            • chudakC
              chudak
              last edited by

              So far it looks like we got no reasonable explanations on what is going on :(

              1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad
                last edited by NogBadTheBad

                Yes you have, a device on your network is trying to resolve a suspicious TLD.

                If you don’t like what snort is blocking disable the rule that’s triggered the alert.

                chudakC 1 Reply Last reply Reply Quote 0
                • chudakC
                  chudak @NogBadTheBad
                  last edited by

                  @nogbadthebad said in snort (SID 43687) blocks root DNS servers ?!:

                  Yes you have, a device on your network is trying to resolve a suspicious TLD!

                  Why do you say "suspicious" vs legit ?

                  Does this look suspicious to you?

                  192.5.5.241 which resolves to f.root-servers.net

                  1 Reply Last reply Reply Quote 0
                  • NogBadTheBadN
                    NogBadTheBad
                    last edited by NogBadTheBad

                    The .topTLD does.

                    https://www.spamhaus.org/statistics/tlds/

                    Re read the following:-

                    https://www.snort.org/rule_docs/1-43687

                    It’s not what up the DNS query is being sent to, it’s what is being queried.

                    1 Reply Last reply Reply Quote 0
                    • chudakC
                      chudak
                      last edited by

                      The end result 192.5.5.241 IP gets blocked.

                      So how do you resolve this issue then ?

                      I see sometimes with Sid 1-43687 enabled that none of my PCs can resolve any names and even 8.8.8.8 gets blocked!

                      1 Reply Last reply Reply Quote 0
                      • NogBadTheBadN
                        NogBadTheBad
                        last edited by

                        You need to figure out what host is querying the .top TLD maybe increase the logging level of DNS lookups in pfSense.

                        Do you just run snort on the WAN interface?

                        chudakC 1 Reply Last reply Reply Quote 0
                        • chudakC
                          chudak @NogBadTheBad
                          last edited by

                          @nogbadthebad Yes this is on WAN

                          All queries coming from the pfSense router itself and I force all clients to use pfSense router DNS only.

                          1 Reply Last reply Reply Quote 0
                          • NogBadTheBadN
                            NogBadTheBad
                            last edited by

                            Enable snort on the LAN as well, you’ll see the host pre NAT.

                            Otherwise you just see the WAN address.

                            chudakC 1 Reply Last reply Reply Quote 0
                            • chudakC
                              chudak @NogBadTheBad
                              last edited by

                              @nogbadthebad said in snort (SID 43687) blocks root DNS servers ?!:

                              Enable snort on the LAN as well, you’ll see the host pre NAT.

                              Otherwise you just see the WAN address.

                              I do have LAN enabled as well.
                              Looked thru logs with Destination IP 192.5.5.241 and found none.
                              Which is as I'd expect as no clients can do direct DNS queries.

                              ???

                              NogBadTheBadN 1 Reply Last reply Reply Quote 0
                              • NogBadTheBadN
                                NogBadTheBad @chudak
                                last edited by NogBadTheBad

                                Ah I wonder if your not seeing it on the LAN as the source and destination are contained in $HOME_NET

                                Maybe change the logging level in the DNS Resolver advanced settings.

                                1 Reply Last reply Reply Quote 0
                                • NogBadTheBadN
                                  NogBadTheBad
                                  last edited by NogBadTheBad

                                  Date	Pri	Proto	Class	Source IP	SPort	Destination IP	DPort	SID	Description
                                  2018-07-03
                                  22:35:13	2	UDP	Potentially Bad Traffic	172.16.2.20
                                    	62541	172.16.2.1
                                    	53	1:2023883
                                    	ET DNS Query to a *.top domain - Likely Hostile
                                  

                                  But I'm using the ET DNS ruleset.

                                  chudakC 1 Reply Last reply Reply Quote 0
                                  • NogBadTheBadN
                                    NogBadTheBad
                                    last edited by

                                    This post is deleted!
                                    1 Reply Last reply Reply Quote 0
                                    • chudakC
                                      chudak @NogBadTheBad
                                      last edited by

                                      @nogbadthebad what command did you run to get it? via ssh assuming?

                                      PS: I did change log level to "Query level information" and re-enabled all rules

                                      1 Reply Last reply Reply Quote 0
                                      • NogBadTheBadN
                                        NogBadTheBad
                                        last edited by

                                        You mean the txt that says ET DNS Query to a *.top domain - Likely Hostile ?

                                        If so that was from Services -> Snort-> Alerts

                                        chudakC 1 Reply Last reply Reply Quote 0
                                        • chudakC
                                          chudak @NogBadTheBad
                                          last edited by

                                          @nogbadthebad
                                          OK

                                          I don't see anything yet on LAN, all only on WAN.

                                          Let's wait :)

                                          NogBadTheBadN 1 Reply Last reply Reply Quote 0
                                          • NogBadTheBadN
                                            NogBadTheBad @chudak
                                            last edited by

                                            @chudak said in snort (SID 43687) blocks root DNS servers ?!:

                                            @nogbadthebad
                                            OK

                                            I don't see anything yet on LAN, all only on WAN.

                                            Let's wait :)

                                            0_1530654459156_Untitled.jpeg

                                            chudakC 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.