Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help me with this snort alert: Potential DNS Cache Poisoning Attempt

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mctad
      last edited by

      2016-11-16 20:44:11 2 UDP Attempted Information Leak 216.239.36.10 53 192.168.1.11  62464 3:21355  PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid

      I've got pfsense 2.3.2 running snort on a small corporate network.  I more or less just got it up and running and cleaned up all the obvious issues.  Anyways, this alert came up last night at 9pm when I'm fairly certain no one was here (and more or less the same one popped up again at midnight-ish twice).  I'm attaching the pcap (assuming I did it right).  Looks like it was a google query.  Alert came from my DNS server.

      I'm a little confused by the SID, seems to be 3:21355 which would be https://www.snort.org/rule_docs/3-21355, but seems to match 1:21355 more closely which is https://www.snort.org/rule_docs/1-21355.  But regardless, I'm confused at what automated activity might cause this.  I'll turn on DNS  logging to look at who/what is causing this but right now I don't have much more than this.

      But anyways, curious for any insight anyone can provide.
      dns_cache_poisoning.1.pcap

      1 Reply Last reply Reply Quote 0
      • M
        mctad
        last edited by

        FWIW, I might have tracked it down.  I found that this DNS server has its own IP address set to the DNS server rather than the loopback.  This is a secondary DNS so the entry wasn't very common.  But I guess I'll know in a few days if it doesn't reappear.

        1 Reply Last reply Reply Quote 0
        • U
          u3c307
          last edited by

          look like your machine making normal domain name queries to ns3.google.com

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.