Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 24 replies
  • Answers 2 answers
  • Subscribers 33 subscribers
  • Views 59235 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False positives in log for dns

cbunting
Attack : PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority
 
Receiving thousands of these, coming from my 2 inside DNS servers.... what is causing this alert?


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to rfcat_vk

    I just want to let you know that I gave up and exchanged the XG for an UTM. Have not had a false positive since or any other issue.

     

    I ended up with two problems with the XG,

    1. The false positives,
    2. Every 16-25 hours it would black out (no connection to the device, or in or out to the internet)

    The UTM uses the exact same hardware.

  • 0 in reply to Peter Obel

    HI Peter , 

    I would need to collect the logs and submit them to the concern team.

    Could you take a PCAP of the same for host 8.8.8.8

  • 0 in reply to Aditya Patel

    Aditya Patel said:

     

    Could you take a PCAP of the same for host 8.8.8.8

     
    The buffer in the log PCAP UI fills up so fast it isn't trapping these items, can i increase the buffer / make sure the buffer only captures from specific src / dst?
  • 0 in reply to Alex Balcanquall

    how do i do the equivalent of tcpdump port xxxxxx in the device console?  Or how can i avoid the perms issues in the advanced/shell console?

  • 0 in reply to Alex Balcanquall

    here is one example i managed to trap in the web i/f

     

    Ethernet Header
    Source MAC Address:80:2a:a8:4c:66:d3
    Destination MAC Address: 00:97:82:ae:83:e7
    Ethernet Type IPv4 (0x800)
     
    IPv4 Header
    Source IP Address:8.8.8.8
    Destination IP Address:192.168.1.47
    Protocol: UDP
    Header:20 Bytes
    Type of Service: 32
    Total Length: 85 Bytes
    Identification:37379
    Fragment Offset:0
    Time to Live: 56
    Checksum: 7822
     
    UDP Header:
    Source Port:53
    Destination Port: 1738
    Length: 65
    Checksum: 59675

     

           0x0000: 4520 0055 9203 0000 3811 1e8e 0808 0808 E..U....8.......
           0x0010: c0a8 012f 0035 06ca 0041 e91b 3412 8180 .../.5...A..4...
           0x0020: 0001 0001 0000 0000 0377 7777 0361 7069 .........www.api
           0x0030: 0369 6e67 0763 6172 7269 6572 0363 6f6d .ing.carrier.com
           0x0040: 0000 0100 01c0 0c00 0100 0100 0000 3400 ..............4.
           0x0050: 0480 0b8a 1f .....

  • 0 in reply to Alex Balcanquall

    Hi,

    For me, as for a long time the IPS log generate thousands of messages "DNS-PROTOCOL SPOOF ....". Error IPS applies to any query the DNS server not only Google DNS. Luckily, it's just a "detect" and not a "drop." I hoped the new version of SFOS 16.5.3 MR-3 would solve the problem, but unfortunately not. I have now IPS sign 3.13.45.


    Regards
    Jan

  • 0 in reply to JanSadlik

    Hi All, 

    To take a PCAP from your XG , you may need conduct the following steps 

    Step 1: Capture the traffic via tcpdump 

    console>tcpdump filedump verbose count 10000 'host 1.1.1.1 -s0 #where 1.1.1.1 is the host address you would monitor, for this issue 8.8.8.8.

    Step 2: Execute the command in Shell access option 5-3

    #mount -w -o remount /

    Step 3: Copy the File to a different path 

    #cp /tmp/data/tcpdump.pcap /usr/share/userportal/tcpdump.pcap

    Step 4: Download the File from your XG user portal via URL .

    https://<Your XG interface address>/tcpdump.pcap

  • 0 in reply to Aditya Patel

    Aditya Patel said:
    console>tcpdump filedump verbose count 10000 'host 1.1.1.1 -s0 #where 1.1.1.1 is the host address you would monitor, for this issue 8.8.8.8.

     

    Is there a way to specify UDP and the port on this should i add 'UDP 'port xxxx ? (what does the ' do?) I ask because there is a lot of other traffic going to and from 8.8.8.8 that we dont need to capture. (better yet is there a list of all the tcpdump options that the one through the standard console will support?

     

    --edit--

    oh i see the single ' lets me pass standard tcpdump command line prams, ok i am generating with UDP set but not the port set incase you need more info

     

    ----edit2---

    captured and sent as PM to Aditya, thanks!

  • 0 in reply to Alex Balcanquall

    HI Alex, 

    Thank you for the PCAP , Could you share the logs from the reports that were detected? That should help us analyze the logs. 

    As for the port you may use console>tcpdump filedump verbose count 10000 'port 53 -s0 #where 53 is the port address you would monitor for DNS queries.

  • 0 in reply to Aditya Patel

    Hi guys,

    I put my XG on line again after adding VLANs and VoIP phones.

    I think you are looking at the wrong place for the DNS errors. My XG is reporting DNS errors for port 53, IMAPS and a host of other ports.

    I have included the daily report, it show the attacking servers as being my ISP DNS. I will change the DNS and see if that reduces the attack reports.

    3806.DNS error report.pdf