i have some problems at the moment with my ASG. The IPS reports detected Conficker AB traffic, but after some scans i am sure, that there is no infection on the reported client. I captured some packets with Wireshark, and for me the reported packets look like standard dns queries.
ASG Info Mail:
Intrusion Prevention Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: BAD-TRAFFIC Conficker A/B DNS traffic detected
Details........: www.snort.org/.../15449
Time...........: 2010:12:03-08:13:57
Packet dropped.: yes
Priority.......: 1high
Classification.: A Network Trojan was detected
IP protocol....: 17 (UDP)
Source IP address: 192.168.6.166
- www.dnsstuff.com/.../ptr.ch
- www.ripe.net/.../whois
- ws.arin.net/.../whois.pl
- cgi.apnic.net/.../whois.pl
Source port: 63187
Destination IP address: 192.168.6.66 (thor)
- www.dnsstuff.com/.../ptr.ch
- www.ripe.net/.../whois
- ws.arin.net/.../whois.pl
- cgi.apnic.net/.../whois.pl
Destination port: 53 (domain)
-- System Uptime : 1 days 17 hours 54 minutes System Load : 0.08 System Version : Astaro Security Gateway Software 8.003 Please refer to the manual for detailed instructions.
The UDP packet from port 63187 in wireshark:
see attached image
It seems only to happen while looking up the A-Record of mscrl.microsoft.com. I tried from another host in my network (including dd-wrt router) with the same error.
The Windows Client:
C:\>nslookup mscrl.microsoft.com
Server: UnKnown
Address: 192.168.6.66
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Zeitüberschreitung bei Anforderung an UnKnown.
the dd-wrt router (linux based, so no target for conficker) just times out with no dns response.
root@ddwrt:~# nslookup mscrl.microsoft.com
Server: 192.168.6.66
Address 1: 192.168.6.66
root@ddwrt:~#
external linux server (not protected by ASG)
user@srv01:~$ nslookup mscrl.microsoft.com
Server: 213.133.98.98
Address: 213.133.98.98#53
Non-authoritative answer:
mscrl.microsoft.com canonical name = certrevoc.vo.msecnd.net.
Name: certrevoc.vo.msecnd.net
Address: 94.245.68.201
Name: certrevoc.vo.msecnd.net
Address: 94.245.68.202
The ASG self:
mscrl.microsoft.com is an alias for certrevoc.vo.msecnd.net.
certrevoc.vo.msecnd.net has address 94.245.68.172
certrevoc.vo.msecnd.net has address 94.245.68.166
I can reproduce the IPS-Prevention Alert with all network clients, simply by invoking "nslookup mscrl.microsoft.com"
false positive, or error in snort ?
ASG Infos:
IP: 192.168.6.66
Firmware-Version: 8.003
Patternversion: 20796
IPS: All attack patterns enabled.
This thread was automatically locked due to age.
