Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata rule 1:2025146 ET DNS Query for Suspicious Domain

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 3 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Anergos13
      last edited by

      Hello,

      lately i am getting alerts of the rule 1:2025146 and my the dns servers that i am using are getting blocked, does anybody know how can i view those dns queries ? I tried to capture dns traffic but i don't have a dedicated pc for monitoring.

      I am trying to understand the alert and see if it is a false positive, any help is appreciated.

      Thank you very much.

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        Does Suricata capture the offending packet?

        Snort does.

        ET DNS Query for Suspicious .gr.com Domain (gr.com in DNS Lookup)

        LOL Suspicious indeed, any random hostname returns 72.34.38.11 :-

        mac-pro:~ andy$ nslookup qjkcvjhads.gr.com
        Server: xxxxxxxxxx
        Address: xxxxxxxxxx#53

        Non-authoritative answer:
        Name: qjkcvjhads.gr.com
        Address: 72.34.38.11

        mac-pro:~ andy$ nslookup kfvovdkjds.gr.com
        Server: xxxxxxxxxx
        Address: xxxxxxxxxx#53

        Non-authoritative answer:
        Name: kfvovdkjds.gr.com
        Address: 72.34.38.11

        mac-pro:~ andy$

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad
          last edited by

          It could have been a host looking up *gr.com, looks like there was an issue with the rule, try updating your rules :-

          http://docs.emergingthreats.net/bin/view/Main/2025146

          "This alert is generating ~30+ false positives per hour in our IDS because it is hitting on any domain ending in "gr.com" instead of the actual domain of ".gr.com" such as angr.com or pulsemgr.com. Please change to 'content:".gr.com".'"

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • N
            n3by
            last edited by

            It looks like rule was corrected:

            alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .gr.com Domain (gr .com in DNS Lookup)"; dns_query; content:".gr.com"; isdataat:!1,relative; metadata: former_category DNS; reference:url,www.domain.gr.com; classtype:bad-unknown; sid:2025146; rev:3; metadata:created_at 2017_12_12, updated_at 2017_12_18;)
            
            1 Reply Last reply Reply Quote 0
            • A
              Anergos13
              last edited by

              NogBadTheBad and ecfx thank you for your instant reply.

              The site of Emerging Threats is very useful.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.