Snort showing many DNS cache poisoning alerts



  • Hey all,

    Just have seen this in my alerts loggs and blocked list for snort:

    1 8.8.8.8
    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/13/13-15:37:09
    2 216.239.32.10
    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/13/13-16:36:28
    3 208.78.71.100
    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/13/13-15:41:30
    4 205.251.193.59
    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/13/13-15:40:18

    05/13/13-15:40:22 2 UDP Attempted Information Leak 23.74.25.32  53 MYIP* 39090 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
    05/13/13-15:40:18 2 UDP Attempted Information Leak 205.251.193.59 53 MYIP* 17452 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
    05/13/13-15:40:17 2 UDP Attempted Information Leak 80.190.225.144 53 MYIP* 2030 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
    05/13/13-15:39:42 2 UDP Attempted Information Leak 80.239.171.207 53 MYIP* 29724 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
    05/13/13-15:37:15 2 UDP Attempted Information Leak 207.123.33.51 53 MYIP* 60546 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
    05/13/13-15:37:09 2 UDP Attempted Information Leak 8.8.8.8 53 MYIP* 47667 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid

    Now I don't know of the other IPs there but I know 8.8.8.8 is Google's DNS server…
    Surely they can't be providing these "bad traffic" DNS requests to me?

    This has just started today - have not seen it before.

    Any ideas where I can inspect these logs further?



  • @Deadringers:

    Hey all,

    Just have seen this in my alerts loggs and blocked list for snort:

    
    1	 8.8.8.8	 
    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/13/13-15:37:09	 
     05/13/13-15:37:09	2	UDP	Attempted Information Leak	8.8.8.8	53	*MY*IP*	47667	 3:21355:2 
    
    

    Now I don't know of the other IPs there but I know 8.8.8.8 is Google's DNS server…
    Surely they can't be providing these "bad traffic" DNS requests to me?

    This has just started today - have not seen it before.

    Any ideas where I can inspect these logs further?

    I have the same Google DNS server configured in my Home network, but I do not have any of those alerts in my logs.  I just checked today a few minutes ago.  Most likely these are false positives, and they could have been triggered by a temporarily misconfigured or malfunctioning host at Google's DNS farm.  Are you still getting the alerts, or have they quieted down?  If you convince yourself they are false positives, you can add the GID:SID to the Suppress List for Snort and that will stop the alerts.

    Bill



  • Thanks for the feedback - they have been showing all day so no idea why…
    I'll keep the DNS alerts off for now but will re-instate them tomorrow and see what happens.



  • Hey all.

    Still getting these alerts…are there any further logs that I can enable or look at?

    it is weird that I am getting these and no one else is?

    05/14/13-12:07:09 2 UDP Attempted Information Leak 69.147.237.99 53 213.123.237.9 60119 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
    05/14/13-12:06:34 1 UDP Attempted User Privilege Gain 8.8.8.8  53 213.123.237.9 48522 3:19187:2 BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt
    05/14/13-12:05:24 2 UDP Attempted Information Leak 95.211.9.35  53 213.123.237.9 56707 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
    05/14/13-12:04:37 2 UDP Attempted Information Leak 65.19.178.10 53 213.123.237.9 41518 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
    05/14/13-12:04:37 2 UDP Attempted Information Leak 213.254.245.7 53 213.123.237.9 36354 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
    05/14/13-12:04:37 2 UDP Attempted Information Leak 109.74.194.10 53 213.123.237.9 53521 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
    05/14/13-12:04:37 2 UDP Attempted Information Leak 96.7.49.64 53 213.123.237.9 28315 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
    05/14/13-12:04:36 2 UDP Attempted Information Leak 69.171.239.11 53 213.123.237.9 6915 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid

    1 8.8.8.8
    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/14/13-12:02:37
    BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt - 05/14/13-12:06:34
    2 95.211.9.35
    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/14/13-12:05:24
    3 69.147.237.99
    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/14/13-12:07:09
    3 items listed.



  • hmm I think I may have found out what it was…

    so I upgraded my ESXI guests yesterday to use the VMXNET 3 adapters rather than the e1000

    With this meant I had to re apply the config on my 2008r2 DC to the new adapter - here I referenced that the DNS server my DC should use was it's actual IP rather than it's loopback.

    I think this was some how producing an in correct result as far as snort was concerned?

    Because now I have changed it to 127.0.0.1 and I am getting no DNS errors.



  • @Deadringers:

    hmm I think I may have found out what it was…

    so I upgraded my ESXI guests yesterday to use the VMXNET 3 adapters rather than the e1000

    With this meant I had to re apply the config on my 2008r2 DC to the new adapter - here I referenced that the DNS server my DC should use was it's actual IP rather than it's loopback.

    I think this was some how producing an in correct result as far as snort was concerned?

    Because now I have changed it to 127.0.0.1 and I am getting no DNS errors.

    Yep…I don't know all the super secret details of Microsoft AD servers, but I do know the domain controllers want themselves (the loopback address) for DNS.  Glad you got it sorted out.

    Bill


Log in to reply