Suricata Alerts - ET INFO Observed DNS Query to .biz TLD



  • I have noticed recently that my pfsense is picking up communication leaving my server ip address and ending here: 209.173.58.66 Port 53.

    I am not sure why my server are sending any information to this IP address.

    How would I go about finding out why it is going there?



  • By "my server ip address" which box do you mean? Your pfSense firewall itself, or some host on your LAN?

    If you are running Suricata on the WAN, then what you see in alerts is the NAT address for all local hosts. So any device on your LAN that shows up in alerts triggered on the WAN will show as having your firewall's external IP address.

    I recommend to folks that they run the IDS/IPS packages on the LAN interface so that LAN host IP addresses can be obtained before NAT. That makes tracking down these types of alerts easier.

    Finally, if it is your firewall's external IP that is showing up in the logs and you are running the IDS/IPS on the LAN, then another possibilty is another package on the firewall is attempting a DNS lookup of an IP address in order to obtain the domain name. This normally happens when something wants to write an host or domain name to a log and has only the IP address. If that is the case, then it is harmless.



  • @bmeeks said in Suricata Alerts - ET INFO Observed DNS Query to .biz TLD:

    By "my server ip address" which box do you mean? Your pfSense firewall itself, or some host on your LAN?
    If you are running Suricata on the WAN, then what you see in alerts is the NAT address for all local hosts. So any device on your LAN that shows up in alerts triggered on the WAN will show as having your firewall's external IP address.
    I recommend to folks that they run the IDS/IPS packages on the LAN interface so that LAN host IP addresses can be obtained before NAT. That makes tracking down these types of alerts easier.
    Finally, if it is your firewall's external IP that is showing up in the logs and you are running the IDS/IPS on the LAN, then another possibilty is another package on the firewall is attempting a DNS lookup of an IP address in order to obtain the domain name. This normally happens when something wants to write an host or domain name to a log and has only the IP address. If that is the case, then it is harmless.

    Thanks so much for your reply! It is appreciated. I am grateful you took the time to respond :)

    It shows my external IP Address of my firewall which is the one I was given by my ISP.

    I have IDS turned active on my LAN interface, but it doesn't seem to translate the internal IP addresses as you suggested.

    Which makes me think that maybe DNS on the pfsense is doing as you suggested.

    I did notice that

    Enable Forwarding Mode - Wasn't turned on.

    DNS queries will be forwarded to the upstream DNS servers defined under System > General Setup or those obtained via DHCP/PPP on WAN (if DNS Server Override is enabled there).

    Should I turn this on for it to resolve properly?



  • No, there should be no need to make changes to the DNS settings on the firewall so long as your clients are able to resolve domain names. The default out-of-the-box settings for DNS on pfSense should work for everyone. The default is to use the DNS Resolver (unbound) to do lookups using the root servers. That is the best way. You then point your LAN hosts to use the pfSense firewall (via the LAN interface IP) as their DNS server of record. You can hand this out via DHCP options, or you can hardcode the IP on the LAN clients.

    It is entirely possible that some ad on a web page or really almost anything could have triggered a lookup of that IP address. Realize that an IDS/IPS can generate a lot of "noise" from what is, 99.99% of the time, harmless traffic. Just because you get an alert does not necessarily mean something evil is happening. You need to analyze alerts and determine if they rise to the level of "I should be worried". You do this by using Google to research the alerts to see what it is really detecting as well as what other security admins have to say about some particular alert.



  • @bmeeks

    Sounds good buddy,

    I have been researching as much as I can, but its a bit hard to filter when your new to the system like myself. which is why I appreciate ppl like yourself that help ppl like me out :)



  • @thawee

    One more question for you if you don't mind?

    In my Suricata alerts I am seeing entries with Source and Destination IP Address that don't belong to me which makes sense because I am monitoring my WAN IP, but do I really need to track this kind of info in my alerts or do you think it is safe to suppress it?



  • @thawee said in Suricata Alerts - ET INFO Observed DNS Query to .biz TLD:

    @thawee

    One more question for you if you don't mind?

    In my Suricata alerts I am seeing entries with Source and Destination IP Address that don't belong to me which makes sense because I am monitoring my WAN IP, but do I really need to track this kind of info in my alerts or do you think it is safe to suppress it?

    Neither the SRC nor DST address belongs to you? That would be strange unless there are other users on your WAN segment. When running with Legacy Blocking Mode, Suricata puts the interface in promiscuous mode. That lets Suricata see anything on the same segment as the NIC, but usually ISPs somewhat limit traffic to your WAN port to be just yours.

    For example, I have a cable modem in bridge mode, but even then I only see IP addresses that have my WAN IP and then the other end of the conversation. I don't see traffic from other users on my cable segment. Either I'm the only one (which I doubt), or my cable modem is filtering everything that is not for my specific WAN IP. Maybe your ISP device is not doing that.

    Trying to suppress or hide those alerts might be difficult without also hiding alerts you would want to see.



  • @thawee said in Suricata Alerts - ET INFO Observed DNS Query to .biz TLD:

    @bmeeks

    Sounds good buddy,

    I have been researching as much as I can, but its a bit hard to filter when your new to the system like myself. which is why I appreciate ppl like yourself that help ppl like me out :)

    There is an old and very long thread here in the IDS/IPS forum about Suppression Lists. Try searching for "suppress list" and see if it shows up. It has input from many users describing which rules they commonly disable or suppress.

    Edit: here it is -- https://forum.netgate.com/topic/50708/suricata-snort-master-sid-disablesid-conf.



  • @bmeeks

    Kk Sounds good,

    Thanks my friend will check it out, and I will ask my isp about that because I am seeing a whole range of ips in the same scope as my public wan ip as well as ips that look to be going to different ip addresses not related to me at all and are on the same subnet as my public wan.

    Thanks again.