Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 24 replies
  • Answers 2 answers
  • Subscribers 33 subscribers
  • Views 59219 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False positives in log for dns

cbunting
Attack : PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority
 
Receiving thousands of these, coming from my 2 inside DNS servers.... what is causing this alert?


This thread was automatically locked due to age.
Parents
  • 0

    Not sure on this either, seeing a ton of them on my 310 at work, but mine are all from Google DNS.

     

  • 0 in reply to BrianHawkins1

    Hi folks,

    there is an existing thread on the subject, not quite as bad as yours but still has been happening for a number of releases.

  • 0 in reply to Aditya Patel

    Aditya Patel said:

     

    Could you take a PCAP of the same for host 8.8.8.8

     
    The buffer in the log PCAP UI fills up so fast it isn't trapping these items, can i increase the buffer / make sure the buffer only captures from specific src / dst?
  • 0 in reply to Alex Balcanquall

    how do i do the equivalent of tcpdump port xxxxxx in the device console?  Or how can i avoid the perms issues in the advanced/shell console?

  • 0 in reply to Alex Balcanquall

    here is one example i managed to trap in the web i/f

     

    Ethernet Header
    Source MAC Address:80:2a:a8:4c:66:d3
    Destination MAC Address: 00:97:82:ae:83:e7
    Ethernet Type IPv4 (0x800)
     
    IPv4 Header
    Source IP Address:8.8.8.8
    Destination IP Address:192.168.1.47
    Protocol: UDP
    Header:20 Bytes
    Type of Service: 32
    Total Length: 85 Bytes
    Identification:37379
    Fragment Offset:0
    Time to Live: 56
    Checksum: 7822
     
    UDP Header:
    Source Port:53
    Destination Port: 1738
    Length: 65
    Checksum: 59675

     

           0x0000: 4520 0055 9203 0000 3811 1e8e 0808 0808 E..U....8.......
           0x0010: c0a8 012f 0035 06ca 0041 e91b 3412 8180 .../.5...A..4...
           0x0020: 0001 0001 0000 0000 0377 7777 0361 7069 .........www.api
           0x0030: 0369 6e67 0763 6172 7269 6572 0363 6f6d .ing.carrier.com
           0x0040: 0000 0100 01c0 0c00 0100 0100 0000 3400 ..............4.
           0x0050: 0480 0b8a 1f .....

  • 0 in reply to Alex Balcanquall

    Hi,

    For me, as for a long time the IPS log generate thousands of messages "DNS-PROTOCOL SPOOF ....". Error IPS applies to any query the DNS server not only Google DNS. Luckily, it's just a "detect" and not a "drop." I hoped the new version of SFOS 16.5.3 MR-3 would solve the problem, but unfortunately not. I have now IPS sign 3.13.45.


    Regards
    Jan

  • 0 in reply to JanSadlik

    Hi All, 

    To take a PCAP from your XG , you may need conduct the following steps 

    Step 1: Capture the traffic via tcpdump 

    console>tcpdump filedump verbose count 10000 'host 1.1.1.1 -s0 #where 1.1.1.1 is the host address you would monitor, for this issue 8.8.8.8.

    Step 2: Execute the command in Shell access option 5-3

    #mount -w -o remount /

    Step 3: Copy the File to a different path 

    #cp /tmp/data/tcpdump.pcap /usr/share/userportal/tcpdump.pcap

    Step 4: Download the File from your XG user portal via URL .

    https://<Your XG interface address>/tcpdump.pcap

  • 0 in reply to Aditya Patel

    Aditya Patel said:
    console>tcpdump filedump verbose count 10000 'host 1.1.1.1 -s0 #where 1.1.1.1 is the host address you would monitor, for this issue 8.8.8.8.

     

    Is there a way to specify UDP and the port on this should i add 'UDP 'port xxxx ? (what does the ' do?) I ask because there is a lot of other traffic going to and from 8.8.8.8 that we dont need to capture. (better yet is there a list of all the tcpdump options that the one through the standard console will support?

     

    --edit--

    oh i see the single ' lets me pass standard tcpdump command line prams, ok i am generating with UDP set but not the port set incase you need more info

     

    ----edit2---

    captured and sent as PM to Aditya, thanks!

  • 0 in reply to Alex Balcanquall

    HI Alex, 

    Thank you for the PCAP , Could you share the logs from the reports that were detected? That should help us analyze the logs. 

    As for the port you may use console>tcpdump filedump verbose count 10000 'port 53 -s0 #where 53 is the port address you would monitor for DNS queries.

  • 0 in reply to Aditya Patel

    Hi guys,

    I put my XG on line again after adding VLANs and VoIP phones.

    I think you are looking at the wrong place for the DNS errors. My XG is reporting DNS errors for port 53, IMAPS and a host of other ports.

    I have included the daily report, it show the attacking servers as being my ISP DNS. I will change the DNS and see if that reduces the attack reports.

    3806.DNS error report.pdf

  • 0 in reply to rfcat_vk

    Further update. Since removing google dns from my XG the DNS attack on my users and on ISP DNS have dropped significantly or has Sophos published updated signatures without telling us in this thread?

  • 0 in reply to rfcat_vk
    It seems that the IPS signatures have been repaired. Current version
    3.13.49 since 2.05.2017 does't generate "DNS-PROTOCOL SPOOF ...." messages.
     
    Regards
    Jan
Reply Children
No Data