Snort rule "ET TROJAN DNS Reply for unallocated address space" - high sev


  • I just configured Snort / Baryard logging externally to my server running Snorby. I'm a N00b at looking at this sort of thing but am trying to get my head around this high severity event.

    This is the rule

    alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply for unallocated address space - Potentially Malicious 1.1.1.0/24"; content:"|00 01 00 01|"; content:"|00 04 01 01 01|"; distance:4; within:5; classtype:trojan-activity; sid:2016104; rev:3;)
    

    From looking at Snorby the source IP address is originating from a Chinese ISP (111.11.110.110). When I analyze the payload context I see the characters ur99.com and m.gtld-servers.net

    I guess my main questions are what does this part of the rule mean, "Potentially Malicious 1.1.1.0/24", in relation to url99.com? Does this mean that a host behind my network is calling out to this URL? Any insight would be greatly appreciated.

  • Moderator

    Hello Heisenberg1977,

    Is this alert taken from the WAN or LAN Snort Interface?

    Do you have an internal DNS server, or is pfSense DNS Forwarder being used?

    It looks like a client request DNS resolution to 1.1.1.0/24 and Snort is picking up the Response Back from the Net as the rules is (External > Home_Net).

    If Snort is on the LAN side, you can see which internal LAN IP initiated the Request. If pfSense is the Forwarder, than you can't see which lan client made the request without running a packet capture.


  • Is this alert taken from the WAN or LAN Snort Interface?
    WAN

    Do you have an internal DNS server, or is pfSense DNS Forwarder being used?
    DNS Forwarder

    It looks like a client request DNS resolution to 1.1.1.0/24 and Snort is picking up the Response Back from the Net as the rules is (External > Home_Net).
    OK that makes sense

    If Snort is on the LAN side, you can see which internal LAN IP initiated the Request. If pfSense is the Forwarder, than you can't see which lan client made the request without running a packet capture.
    I need the ability to track down what LAN client made the outgoing request. A packet capture is useless as there is only the one call out that is flagged in snort. Maybe a proxy server is the answer. I've never configured one but maybe I will look into it unless you have another suggestions. Thanks

  • Moderator

    I would follow Bill Meeks advice and put most of your attention to the LAN Interface for Snort. This will give you the LAN IPs that were involved in any Alerts..

    There are quite a few threads where you can follow the recommended steps.

    You could also create a Firewall Block Rule with Logging in pfSense for the "1.1.1.0/24" and the next time the LAN client makes the request, you will be able to see who initiated the request.

    I also setup Firewall Rules so that only pfSense can go outbound on port 53 (DNS). Any Lan side clients that try to go Outbound on port 53 are rejected.


  • Is there a specific link that you are referring to regarding "Bill Meeks advice"?

    Thanks for the other suggestions.

  • Moderator

    @Heisenberg1977:

    Is there a specific link that you are referring to regarding "Bill Meeks advice"?

    Thanks for the other suggestions.

    Click on Bill Meeks name, and then select "Show Posts" You can follow thru on his advice in Several Threads. He is a wealth of knowledge!

    Here is one of them:
    https://forum.pfsense.org/index.php?topic=77952.msg425066#msg425066