Welcome, Guest. Please login or register.
Did you miss your activation email?
+  pfSense Forum
|-+  pfSense English Support» Packages» Snort showing many DNS cache poisoning alerts
Username:
Password:
 
Home Help Search Login Register
 

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Snort showing many DNS cache poisoning alerts  (Read 244 times)
0 Members and 1 Guest are viewing this topic.
Deadringers
Newbie
*
Offline Offline

Posts: 22


View Profile
« on: May 13, 2013, 10:33:18 am »
Hey all,

Just have seen this in my alerts loggs and blocked list for snort:

Quote
1    8.8.8.8   
BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/13/13-15:37:09   
 2    216.239.32.10   
BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/13/13-16:36:28   
 3    208.78.71.100   
BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/13/13-15:41:30   
 4    205.251.193.59   
BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/13/13-15:40:18   

Quote
05/13/13-15:40:22   2   UDP   Attempted Information Leak   23.74.25.32     53   *MY*IP*   39090    3:21355:2    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
05/13/13-15:40:18   2   UDP   Attempted Information Leak   205.251.193.59    53   *MY*IP*   17452    3:21355:2    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
05/13/13-15:40:17   2   UDP   Attempted Information Leak   80.190.225.144    53   *MY*IP*   2030    3:21355:2    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
05/13/13-15:39:42   2   UDP   Attempted Information Leak   80.239.171.207   53   *MY*IP*   29724    3:21355:2    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
05/13/13-15:37:15   2   UDP   Attempted Information Leak   207.123.33.51   53   *MY*IP*   60546    3:21355:2    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
05/13/13-15:37:09   2   UDP   Attempted Information Leak   8.8.8.8   53   *MY*IP*   47667    3:21355:2    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid


Now I don't know of the other IPs there but I know 8.8.8.8 is Google's DNS server...
Surely they can't be providing these "bad traffic" DNS requests to me?

This has just started today - have not seen it before.


Any ideas where I can inspect these logs further?
Logged
bmeeks
Sr. Member
****
Offline Offline

Posts: 349



View Profile
« Reply #1 on: May 13, 2013, 03:35:05 pm »
Quote from: Deadringers on May 13, 2013, 10:33:18 am
Hey all,

Just have seen this in my alerts loggs and blocked list for snort:

Code:
1 8.8.8.8
BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/13/13-15:37:09
 05/13/13-15:37:09 2 UDP Attempted Information Leak 8.8.8.8 53 *MY*IP* 47667 3:21355:2

Now I don't know of the other IPs there but I know 8.8.8.8 is Google's DNS server...
Surely they can't be providing these "bad traffic" DNS requests to me?

This has just started today - have not seen it before.

Any ideas where I can inspect these logs further?

I have the same Google DNS server configured in my Home network, but I do not have any of those alerts in my logs.  I just checked today a few minutes ago.  Most likely these are false positives, and they could have been triggered by a temporarily misconfigured or malfunctioning host at Google's DNS farm.  Are you still getting the alerts, or have they quieted down?  If you convince yourself they are false positives, you can add the GID:SID to the Suppress List for Snort and that will stop the alerts.

Bill
Logged
Deadringers
Newbie
*
Offline Offline

Posts: 22


View Profile
« Reply #2 on: May 13, 2013, 03:41:13 pm »
Thanks for the feedback - they have been showing all day so no idea why...
I'll keep the DNS alerts off for now but will re-instate them tomorrow and see what happens.
Logged
Deadringers
Newbie
*
Offline Offline

Posts: 22


View Profile
« Reply #3 on: May 14, 2013, 05:58:14 am »
Hey all.

Still getting these alerts...are there any further logs that I can enable or look at? 

it is weird that I am getting these and no one else is?

Quote
05/14/13-12:07:09   2   UDP   Attempted Information Leak   69.147.237.99    53   213.123.237.9   60119    3:21355:2    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
05/14/13-12:06:34   1   UDP   Attempted User Privilege Gain   8.8.8.8     53   213.123.237.9   48522    3:19187:2    BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt
05/14/13-12:05:24   2   UDP   Attempted Information Leak   95.211.9.35     53   213.123.237.9   56707    3:21355:2    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
05/14/13-12:04:37   2   UDP   Attempted Information Leak   65.19.178.10   53   213.123.237.9   41518    3:21355:2    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
05/14/13-12:04:37   2   UDP   Attempted Information Leak   213.254.245.7   53   213.123.237.9   36354    3:21355:2    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
05/14/13-12:04:37   2   UDP   Attempted Information Leak   109.74.194.10   53   213.123.237.9   53521    3:21355:2    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
05/14/13-12:04:37   2   UDP   Attempted Information Leak   96.7.49.64   53   213.123.237.9   28315    3:21355:2    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
05/14/13-12:04:36   2   UDP   Attempted Information Leak   69.171.239.11   53   213.123.237.9   6915    3:21355:2    BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid

Quote
1    8.8.8.8   
BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/14/13-12:02:37
BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt - 05/14/13-12:06:34   
 2    95.211.9.35   
BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/14/13-12:05:24   
 3    69.147.237.99   
BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/14/13-12:07:09   
3 items listed.
Logged
Deadringers
Newbie
*
Offline Offline

Posts: 22


View Profile
« Reply #4 on: May 14, 2013, 06:33:19 am »
hmm I think I may have found out what it was...

so I upgraded my ESXI guests yesterday to use the VMXNET 3 adapters rather than the e1000


With this meant I had to re apply the config on my 2008r2 DC to the new adapter - here I referenced that the DNS server my DC should use was it's actual IP rather than it's loopback.

I think this was some how producing an in correct result as far as snort was concerned?

Because now I have changed it to 127.0.0.1 and I am getting no DNS errors.
Logged
bmeeks
Sr. Member
****
Offline Offline

Posts: 349



View Profile
« Reply #5 on: May 14, 2013, 12:30:34 pm »
Quote from: Deadringers on May 14, 2013, 06:33:19 am
hmm I think I may have found out what it was...

so I upgraded my ESXI guests yesterday to use the VMXNET 3 adapters rather than the e1000


With this meant I had to re apply the config on my 2008r2 DC to the new adapter - here I referenced that the DNS server my DC should use was it's actual IP rather than it's loopback.

I think this was some how producing an in correct result as far as snort was concerned?

Because now I have changed it to 127.0.0.1 and I am getting no DNS errors.

Yep...I don't know all the super secret details of Microsoft AD servers, but I do know the domain controllers want themselves (the loopback address) for DNS.  Glad you got it sorted out.

Bill
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

 

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Page created in 0.032 seconds with 20 queries.