Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    snort (SID 43687) blocks root DNS servers ?!

    Scheduled Pinned Locked Moved IDS/IPS
    35 Posts 3 Posters 6.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NogBadTheBadN
      NogBadTheBad @chudak
      last edited by

      @chudak

      Exactly, to ping the host it firstly needs to get the IP address.

      1 Reply Last reply Reply Quote 0
      • chudakC
        chudak
        last edited by

        So far it looks like we got no reasonable explanations on what is going on :(

        1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad
          last edited by NogBadTheBad

          Yes you have, a device on your network is trying to resolve a suspicious TLD.

          If you don’t like what snort is blocking disable the rule that’s triggered the alert.

          chudakC 1 Reply Last reply Reply Quote 0
          • chudakC
            chudak @NogBadTheBad
            last edited by

            @nogbadthebad said in snort (SID 43687) blocks root DNS servers ?!:

            Yes you have, a device on your network is trying to resolve a suspicious TLD!

            Why do you say "suspicious" vs legit ?

            Does this look suspicious to you?

            192.5.5.241 which resolves to f.root-servers.net

            1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad
              last edited by NogBadTheBad

              The .topTLD does.

              https://www.spamhaus.org/statistics/tlds/

              Re read the following:-

              https://www.snort.org/rule_docs/1-43687

              It’s not what up the DNS query is being sent to, it’s what is being queried.

              1 Reply Last reply Reply Quote 0
              • chudakC
                chudak
                last edited by

                The end result 192.5.5.241 IP gets blocked.

                So how do you resolve this issue then ?

                I see sometimes with Sid 1-43687 enabled that none of my PCs can resolve any names and even 8.8.8.8 gets blocked!

                1 Reply Last reply Reply Quote 0
                • NogBadTheBadN
                  NogBadTheBad
                  last edited by

                  You need to figure out what host is querying the .top TLD maybe increase the logging level of DNS lookups in pfSense.

                  Do you just run snort on the WAN interface?

                  chudakC 1 Reply Last reply Reply Quote 0
                  • chudakC
                    chudak @NogBadTheBad
                    last edited by

                    @nogbadthebad Yes this is on WAN

                    All queries coming from the pfSense router itself and I force all clients to use pfSense router DNS only.

                    1 Reply Last reply Reply Quote 0
                    • NogBadTheBadN
                      NogBadTheBad
                      last edited by

                      Enable snort on the LAN as well, you’ll see the host pre NAT.

                      Otherwise you just see the WAN address.

                      chudakC 1 Reply Last reply Reply Quote 0
                      • chudakC
                        chudak @NogBadTheBad
                        last edited by

                        @nogbadthebad said in snort (SID 43687) blocks root DNS servers ?!:

                        Enable snort on the LAN as well, you’ll see the host pre NAT.

                        Otherwise you just see the WAN address.

                        I do have LAN enabled as well.
                        Looked thru logs with Destination IP 192.5.5.241 and found none.
                        Which is as I'd expect as no clients can do direct DNS queries.

                        ???

                        NogBadTheBadN 1 Reply Last reply Reply Quote 0
                        • NogBadTheBadN
                          NogBadTheBad @chudak
                          last edited by NogBadTheBad

                          Ah I wonder if your not seeing it on the LAN as the source and destination are contained in $HOME_NET

                          Maybe change the logging level in the DNS Resolver advanced settings.

                          1 Reply Last reply Reply Quote 0
                          • NogBadTheBadN
                            NogBadTheBad
                            last edited by NogBadTheBad

                            Date	Pri	Proto	Class	Source IP	SPort	Destination IP	DPort	SID	Description
                            2018-07-03
                            22:35:13	2	UDP	Potentially Bad Traffic	172.16.2.20
                              	62541	172.16.2.1
                              	53	1:2023883
                              	ET DNS Query to a *.top domain - Likely Hostile
                            

                            But I'm using the ET DNS ruleset.

                            chudakC 1 Reply Last reply Reply Quote 0
                            • NogBadTheBadN
                              NogBadTheBad
                              last edited by

                              This post is deleted!
                              1 Reply Last reply Reply Quote 0
                              • chudakC
                                chudak @NogBadTheBad
                                last edited by

                                @nogbadthebad what command did you run to get it? via ssh assuming?

                                PS: I did change log level to "Query level information" and re-enabled all rules

                                1 Reply Last reply Reply Quote 0
                                • NogBadTheBadN
                                  NogBadTheBad
                                  last edited by

                                  You mean the txt that says ET DNS Query to a *.top domain - Likely Hostile ?

                                  If so that was from Services -> Snort-> Alerts

                                  chudakC 1 Reply Last reply Reply Quote 0
                                  • chudakC
                                    chudak @NogBadTheBad
                                    last edited by

                                    @nogbadthebad
                                    OK

                                    I don't see anything yet on LAN, all only on WAN.

                                    Let's wait :)

                                    NogBadTheBadN 1 Reply Last reply Reply Quote 0
                                    • NogBadTheBadN
                                      NogBadTheBad @chudak
                                      last edited by

                                      @chudak said in snort (SID 43687) blocks root DNS servers ?!:

                                      @nogbadthebad
                                      OK

                                      I don't see anything yet on LAN, all only on WAN.

                                      Let's wait :)

                                      0_1530654459156_Untitled.jpeg

                                      chudakC 1 Reply Last reply Reply Quote 0
                                      • chudakC
                                        chudak @NogBadTheBad
                                        last edited by

                                        @nogbadthebad

                                        0_1530654781856_snort2.png

                                        1 Reply Last reply Reply Quote 0
                                        • NogBadTheBadN
                                          NogBadTheBad
                                          last edited by NogBadTheBad

                                          f.root-servers.net = 192.5.5.241 guessing thats from your WAN interface.

                                          Or your hosts directly query f.root-servers.net

                                          1 Reply Last reply Reply Quote 0
                                          • NogBadTheBadN
                                            NogBadTheBad
                                            last edited by NogBadTheBad

                                            @chudak said in snort (SID 43687) blocks root DNS servers ?!:

                                            43687

                                            Err that rule by default is default disabled:-

                                            0_1530655816916_Untitled.jpeg

                                            0_1530655711176_Untitled.jpeg

                                            Maybe your being a bit over zealous with enabling the rules :)

                                            The two rules do differ slightly as well:-

                                            INDICATOR-COMPROMISE:-
                                            
                                            alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .top dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|top|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:url,en.wikipedia.org/wiki/.top; classtype:misc-activity; sid:43687; rev:2;)
                                            
                                            Emerging DNS:-
                                            
                                            alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query to a *.top domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|top|00|"; fast_pattern; nocase; distance:0; threshold:type limit, track by_src, count 1, seconds 30; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023883; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_07, updated_at 2017_02_07;)
                                            
                                            chudakC 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.