pfSense Support Subscription

Author Topic: Suricata rule 1:2025146 ET DNS Query for Suspicious Domain  (Read 180 times)

0 Members and 1 Guest are viewing this topic.

Offline Anergos13

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Suricata rule 1:2025146 ET DNS Query for Suspicious Domain
« on: December 19, 2017, 02:56:24 am »
Hello,

lately i am getting alerts of the rule 1:2025146 and my the dns servers that i am using are getting blocked, does anybody know how can i view those dns queries ? I tried to capture dns traffic but i don't have a dedicated pc for monitoring.

I am trying to understand the alert and see if it is a false positive, any help is appreciated.


Thank you very much.
« Last Edit: December 19, 2017, 07:13:36 am by Anergos13 »

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 405
  • Karma: +34/-0
    • View Profile
Re: Suricata rule 1:2025146 ET DNS Query for Suspicious Domain
« Reply #1 on: December 19, 2017, 03:04:51 am »
Does Suricata capture the offending packet?

Snort does.

ET DNS Query for Suspicious .gr.com Domain (gr.com in DNS Lookup)

LOL Suspicious indeed, any random hostname returns 72.34.38.11 :-

mac-pro:~ andy$ nslookup qjkcvjhads.gr.com
Server:      xxxxxxxxxx
Address:   xxxxxxxxxx#53

Non-authoritative answer:
Name:   qjkcvjhads.gr.com
Address: 72.34.38.11

mac-pro:~ andy$ nslookup kfvovdkjds.gr.com
Server:      xxxxxxxxxx
Address:   xxxxxxxxxx#53

Non-authoritative answer:
Name:   kfvovdkjds.gr.com
Address: 72.34.38.11

mac-pro:~ andy$
« Last Edit: December 19, 2017, 03:21:18 am by NogBadTheBad »

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 405
  • Karma: +34/-0
    • View Profile
Re: Suricata rule 1:2025146 ET DNS Query for Suspicious Domain
« Reply #2 on: December 19, 2017, 03:34:40 am »
It could have been a host looking up *gr.com, looks like there was an issue with the rule, try updating your rules :-

http://docs.emergingthreats.net/bin/view/Main/2025146

"This alert is generating ~30+ false positives per hour in our IDS because it is hitting on any domain ending in "gr.com" instead of the actual domain of ".gr.com" such as angr.com or pulsemgr.com. Please change to 'content:".gr.com".'"

Offline ecfx

  • Full Member
  • ***
  • Posts: 224
  • Karma: +29/-11
    • View Profile
Re: Suricata rule 1:2025146 ET DNS Query for Suspicious Domain
« Reply #3 on: December 19, 2017, 05:03:42 am »
It looks like rule was corrected:
Code: [Select]
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Suspicious .gr.com Domain (gr .com in DNS Lookup)"; dns_query; content:".gr.com"; isdataat:!1,relative; metadata: former_category DNS; reference:url,www.domain.gr.com; classtype:bad-unknown; sid:2025146; rev:3; metadata:created_at 2017_12_12, updated_at 2017_12_18;)

Offline Anergos13

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Suricata rule 1:2025146 ET DNS Query for Suspicious Domain
« Reply #4 on: December 19, 2017, 07:27:11 am »
NogBadTheBad and ecfx thank you for your instant reply.

The site of Emerging Threats is very useful.