(SOLVED) Snort detecting INDICATOR-COMPROMISE suspicious .null DNS query
-
@tman904 said in Snort detecting INDICATOR-COMPROMISE suspicious .null dns query on my WAN:
These dns queries,
What was the query for? Can you not get this info from snort? just saying something.win is not very useful logging.. I can see the alert could be called that, but there should be a log of the actual query done.
-
Is there a way to filter under status dns resolver? Also if the dns request wasn't answered will it not show up in the log?
-
You can tell your resolver to log the queries, but shouldn't snort be saving the packets? And you can view them?
We already went over all of this..
-
if you do what i said ages ago you’ll be able to see what is being looked up with a u2spwefoo.
You could be looking at the logs for ages, DNS is very chatty.
-
I just enabled barnyard2, once I get results I'll run that command. Problem is if it doesn't happen again while running barnyard2. How I'm I suppose to see it? The last time the query for .win happened was April 30th.
-
The mail server was checking domains against spam blacklists. I've confirmed this by matching up timestamps on the server and pfsense.
-
So you were getting mail that said it came from .win and .null domains?
-
The mail server sends DNS queries since it checks the domain name against spam blacklists and If it's on one of the blacklists it rejects the email. Meaning It was the content of the DNS queries that triggered snort, to top it off I put snort on the highest security mode, That combined to create what I thought was a compromised server.
This also explains why I got alerts on the LAN side as those email clients do the same type of checking.
-
Dialing Snort up to the "Security" policy is pretty stringent and just asking for false positives. "Connectivity" is fine the majority of the time, especially for admins new to managing an IPS. "Balanced" is the best policy overall once you get your feet wet with IPS management experience. For the vast majority of business networks, the "Balanced" IPS policy offers plenty of security without running the admin crazy checking out false positive all day long.
-
Thank you for the advice @bmeeks. I'll keep that in mind.