False positives in log for dns

Not sure on this either, seeing a ton of them on my 310 at work, but mine are all from Google DNS.

Hi folks,

there is an existing thread on the subject, not quite as bad as yours but still has been happening for a number of releases.

HI All,

Could you post your IPS version so we may check on our end.

Aditya Patel 

I posted on the other post so we have one place where to share the issue.

https://community.sophos.com/products/xg-firewall/f/intrusion-prevention/89863/ips---some-signature-are-false-positive

The other post is older than this one.

Regards

3.13.41

HI All , 

I shall forward to the concern team and let you know further details.

Thanks Aditya Patel. Let us know.

Regards

Hi Aditya

Any movement on this.  I am new user (less than week into using XG for first time) and seeing multiple of the DNS UDP packets being marked as a spoof when they are not.

I just want to let you know that I gave up and exchanged the XG for an UTM. Have not had a false positive since or any other issue.

I ended up with two problems with the XG,

1. The false positives,
2. Every 16-25 hours it would black out (no connection to the device, or in or out to the internet)

The UTM uses the exact same hardware.

HI Peter , 

I would need to collect the logs and submit them to the concern team.

Could you take a PCAP of the same for host 8.8.8.8

Aditya Patel said:

 

Could you take a PCAP of the same for host 8.8.8.8

how do i do the equivalent of tcpdump port xxxxxx in the device console?  Or how can i avoid the perms issues in the advanced/shell console?

how do i do the equivalent of tcpdump port xxxxxx in the device console?  Or how can i avoid the perms issues in the advanced/shell console?

here is one example i managed to trap in the web i/f

       0x0000: 4520 0055 9203 0000 3811 1e8e 0808 0808 E..U....8.......
       0x0010: c0a8 012f 0035 06ca 0041 e91b 3412 8180 .../.5...A..4...
       0x0020: 0001 0001 0000 0000 0377 7777 0361 7069 .........www.api
       0x0030: 0369 6e67 0763 6172 7269 6572 0363 6f6d .ing.carrier.com
       0x0040: 0000 0100 01c0 0c00 0100 0100 0000 3400 ..............4.
       0x0050: 0480 0b8a 1f .....

Hi,

For me, as for a long time the IPS log generate thousands of messages "DNS-PROTOCOL SPOOF ....". Error IPS applies to any query the DNS server not only Google DNS. Luckily, it's just a "detect" and not a "drop." I hoped the new version of SFOS 16.5.3 MR-3 would solve the problem, but unfortunately not. I have now IPS sign 3.13.45.

Regards
Jan

Hi All, 

To take a PCAP from your XG , you may need conduct the following steps 

Step 1: Capture the traffic via tcpdump 

console>tcpdump filedump verbose count 10000 'host 1.1.1.1 -s0 #where 1.1.1.1 is the host address you would monitor, for this issue 8.8.8.8.

Step 2: Execute the command in Shell access option 5-3

#mount -w -o remount /

Step 3: Copy the File to a different path 

#cp /tmp/data/tcpdump.pcap /usr/share/userportal/tcpdump.pcap

Step 4: Download the File from your XG user portal via URL .

https://<Your XG interface address>/tcpdump.pcap

Aditya Patel said:

console>tcpdump filedump verbose count 10000 'host 1.1.1.1 -s0 #where 1.1.1.1 is the host address you would monitor, for this issue 8.8.8.8.

Is there a way to specify UDP and the port on this should i add 'UDP 'port xxxx ? (what does the ' do?) I ask because there is a lot of other traffic going to and from 8.8.8.8 that we dont need to capture. (better yet is there a list of all the tcpdump options that the one through the standard console will support?

--edit--

oh i see the single ' lets me pass standard tcpdump command line prams, ok i am generating with UDP set but not the port set incase you need more info

----edit2---

captured and sent as PM to Aditya, thanks!

HI Alex, 

Thank you for the PCAP , Could you share the logs from the reports that were detected? That should help us analyze the logs. 

As for the port you may use console>tcpdump filedump verbose count 10000 'port 53 -s0 #where 53 is the port address you would monitor for DNS queries.

Hi guys,

I put my XG on line again after adding VLANs and VoIP phones.

I think you are looking at the wrong place for the DNS errors. My XG is reporting DNS errors for port 53, IMAPS and a host of other ports.

I have included the daily report, it show the attacking servers as being my ISP DNS. I will change the DNS and see if that reduces the attack reports.

3806.DNS error report.pdf

Further update. Since removing google dns from my XG the DNS attack on my users and on ISP DNS have dropped significantly or has Sophos published updated signatures without telling us in this thread?