Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    snort (SID 43687) blocks root DNS servers ?!

    Scheduled Pinned Locked Moved IDS/IPS
    35 Posts 3 Posters 6.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NogBadTheBadN
      NogBadTheBad
      last edited by NogBadTheBad

      Date	Pri	Proto	Class	Source IP	SPort	Destination IP	DPort	SID	Description
      2018-07-03
      22:35:13	2	UDP	Potentially Bad Traffic	172.16.2.20
        	62541	172.16.2.1
        	53	1:2023883
        	ET DNS Query to a *.top domain - Likely Hostile
      

      But I'm using the ET DNS ruleset.

      chudakC 1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        This post is deleted!
        1 Reply Last reply Reply Quote 0
        • chudakC
          chudak @NogBadTheBad
          last edited by

          @nogbadthebad what command did you run to get it? via ssh assuming?

          PS: I did change log level to "Query level information" and re-enabled all rules

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad
            last edited by

            You mean the txt that says ET DNS Query to a *.top domain - Likely Hostile ?

            If so that was from Services -> Snort-> Alerts

            chudakC 1 Reply Last reply Reply Quote 0
            • chudakC
              chudak @NogBadTheBad
              last edited by

              @nogbadthebad
              OK

              I don't see anything yet on LAN, all only on WAN.

              Let's wait :)

              NogBadTheBadN 1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad @chudak
                last edited by

                @chudak said in snort (SID 43687) blocks root DNS servers ?!:

                @nogbadthebad
                OK

                I don't see anything yet on LAN, all only on WAN.

                Let's wait :)

                0_1530654459156_Untitled.jpeg

                chudakC 1 Reply Last reply Reply Quote 0
                • chudakC
                  chudak @NogBadTheBad
                  last edited by

                  @nogbadthebad

                  0_1530654781856_snort2.png

                  1 Reply Last reply Reply Quote 0
                  • NogBadTheBadN
                    NogBadTheBad
                    last edited by NogBadTheBad

                    f.root-servers.net = 192.5.5.241 guessing thats from your WAN interface.

                    Or your hosts directly query f.root-servers.net

                    1 Reply Last reply Reply Quote 0
                    • NogBadTheBadN
                      NogBadTheBad
                      last edited by NogBadTheBad

                      @chudak said in snort (SID 43687) blocks root DNS servers ?!:

                      43687

                      Err that rule by default is default disabled:-

                      0_1530655816916_Untitled.jpeg

                      0_1530655711176_Untitled.jpeg

                      Maybe your being a bit over zealous with enabling the rules :)

                      The two rules do differ slightly as well:-

                      INDICATOR-COMPROMISE:-
                      
                      alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .top dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|top|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:url,en.wikipedia.org/wiki/.top; classtype:misc-activity; sid:43687; rev:2;)
                      
                      Emerging DNS:-
                      
                      alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query to a *.top domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|top|00|"; fast_pattern; nocase; distance:0; threshold:type limit, track by_src, count 1, seconds 30; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023883; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_07, updated_at 2017_02_07;)
                      
                      chudakC 1 Reply Last reply Reply Quote 0
                      • chudakC
                        chudak @NogBadTheBad
                        last edited by

                        @nogbadthebad
                        that could be and is an answer to the initial question, alto I don't recall changing rules until recently I saw my network being blocked

                        1 Reply Last reply Reply Quote 0
                        • NogBadTheBadN
                          NogBadTheBad
                          last edited by

                          .tk domains too :)

                          0_1530657362638_Untitled.jpeg

                          1 Reply Last reply Reply Quote 0
                          • BBcan177B
                            BBcan177 Moderator
                            last edited by

                            You can add "top" and "tk" to the DNSBL TLD Blacklist which will prevent these alerts since the DNS request will never be answered for those TLD Domains.

                            "Experience is something you don't get until just after you need it."

                            Website: http://pfBlockerNG.com
                            Twitter: @BBcan177  #pfBlockerNG
                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                            chudakC 1 Reply Last reply Reply Quote 0
                            • chudakC
                              chudak
                              last edited by

                              That’s interesting, added, thx

                              1 Reply Last reply Reply Quote 0
                              • chudakC
                                chudak @BBcan177
                                last edited by

                                @bbcan177 would it make sense to black list all top domains listed here https://www.spamhaus.org/statistics/tlds/ ?

                                BBcan177B 1 Reply Last reply Reply Quote 0
                                • BBcan177B
                                  BBcan177 Moderator @chudak
                                  last edited by

                                  @chudak said in snort (SID 43687) blocks root DNS servers ?!:

                                  @bbcan177 would it make sense to black list all top domains listed here https://www.spamhaus.org/statistics/tlds/ ?

                                  Its not a one-size-fits-all... Most of those TLDs most users will never need to access, so I would see little issue. There is also the TLD Whitelist, where you can allow some specific domains thru that are being blocked via TLD Blacklist.

                                  There is also this TLD list: http://toolbar.netcraft.com/stats/tlds

                                  "Experience is something you don't get until just after you need it."

                                  Website: http://pfBlockerNG.com
                                  Twitter: @BBcan177  #pfBlockerNG
                                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.