Snort mailing list archives
Re: Question about SO Rule 3:21355
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 6 Sep 2013 16:10:30 -0400
Send it to Patrick and he can take a look. I think he wrote the rule :) On Sep 6, 2013, at 3:39 PM, Jeremy Hoel <jthoel () gmail com> wrote:
Joel, would you like me to send you a small pcap that shows this problem happening? It seems to be a FP, but if it's a known problem, then maybe we'll disable this. Thanks On Thu, Sep 5, 2013 at 8:05 PM, Jeremy Hoel <jthoel () gmail com> wrote:Ok.. so looking at the source and your email, we're talking about the transaction id being different between the query and the response. Well, then we have another odd issue, because in these cases, it's the same. When we have the full pcap (a few minutes before and after) , we can trigger the following alerts: 09/05-15:28:49.843677 [**] [3:21355:2] BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 170.149.173.133:53 -> xxx.yyy.152.55:51813 09/05-15:28:50.851973 [**] [3:21355:2] BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 170.149.173.133:53 -> xxx.yyy.152.55:51397 09/05-15:29:02.068531 [**] [3:21355:2] BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 170.149.172.100:53 -> xxx.yyy.152.55:52716 and when we filter the pcap to just show these 6 sessions (3 request, 3 response) the rule doesn't fire (so yeah, that's odd). And of course, with the same txid, it shouldn't fire at all. I've attached screenshots showing the query and response info from wireshark. On Thu, Sep 5, 2013 at 3:42 PM, Joel Esler <jesler () sourcefire com> wrote:Jeremy, We'll make sure the information is also put into documentation form for the SID. On Thu, Sep 5, 2013 at 11:02 AM, Jeremy Hoel <jthoel () gmail com> wrote:Patrick, thank you for the reminder.. we have source! I keep forgetting to go there and look for answers. Thanks for the quick response and overview. Mental note to self.. So, to provide more information: 1 - Before yesterday, we had never gotten this alert before, ever. 2 - As of this morning we have about 120 alerts for this signature (1:21355). At first it was just 5 DC's that had been providing DNS at some offices (out of 40+). It was limited to just NYT domains. This morning we see more events from some other domains and one more site. 3 - We (as far as I get from the operation Team) hadn't changed our DNS settings. Our DC's send requests up to 4 central DC's and those 4 do caching and send new requests out to a parent domain that should provide the info. What we are seeing is that for the NYT domains, the 4 local DC"s gave server failure errors and then the originating DC made the DNS request directly to NYTs for the answer. We still are trying to figure out how the DC got the IP for the NYT server, since it isn't supposed to be doing root lookup or have root hints. 4 - Oddly enough, after the DNS request came back, for the next two hours, no one sent any traffic to the returned IP address. So if a client was asking to go to www.nyt, after it got the answer, it never went. I need to see about these new domains today to see if that still holds true. 5 - If we where under attack, the source of the replies should be different from the requested domain right? I mean, in this case, the IP of the reply was from the NYT block of IP space, and the new alerts this morning are from different IPs and my guess is they will be from the requested domains. 6 - I asked my ops people to make sure the servers are patched and while they think it is, they are going to get back to me. On Thu, Sep 5, 2013 at 1:23 PM, Patrick Mullen <pmullen () sourcefire com> wrote:Jeremy, Thank you for your query. Before I begin, I would like to remind everyone that the purpose of Shared Object Rules is to provide the ability to write rules in C, not to obfuscate detection. At this point, most SO Rules are open source. The source for this particular rule is in bad-traffic_dns-spoof-mismatched-txid.c and as it happens that file has several paragraphs at the beginning explaining what it does at length. In short, the rule (pair of rules, technically) looks for a DNS reply where the TXID is different than the query(ies) we have on record. This is why you see the alert on the reply, not the query. All of this is explained more fully in the comment at the top of the source as well as a known potential for FPs. But that being said, the rules have a pretty good tolerance for FPs. Your email says nothing about how many alerts you've been getting or if this is a new thing. If you are getting a lot of alerts, are you sure you're not under attack? Did you recently change your internal dns server to not cache? Are your users just suddenly all going to NYTimes.com at the same time due to recent developments around the world? Thanks, ~Patrick On Wed, Sep 4, 2013 at 6:46 PM, Jeremy Hoel <jthoel () gmail com> wrote:We started seeing this today from some of our DC's when doing lookups to various nytimes.com sites The MS Bulletin references issues with Exchange and SMTP and the CVE references the DNS lookup in the smtpsvc.dll in regards to dns caching poisoning. We are only seeing these for responses from the NYT DNS servers, which is also odd, not the original request going outboung which makes me wonder how/what in the response would trigger this? And finally.. if the servers are patched with MS10-024, then the could something else be causing the FP? Being a SO rule, I don't have much to go on. ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Patrick Mullen Response Research Manager Sourcefire VRT------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Question about SO Rule 3:21355 Jeremy Hoel (Sep 04)
- Re: Question about SO Rule 3:21355 Patrick Mullen (Sep 05)
- Re: Question about SO Rule 3:21355 Jeremy Hoel (Sep 05)
- Re: Question about SO Rule 3:21355 Joel Esler (Sep 05)
- Re: Question about SO Rule 3:21355 Jeremy Hoel (Sep 13)
- Re: Question about SO Rule 3:21355 Jeremy Hoel (Sep 06)
- Re: Question about SO Rule 3:21355 Joel Esler (Sep 06)
- Re: Question about SO Rule 3:21355 Jeremy Hoel (Sep 05)
- Re: Question about SO Rule 3:21355 Patrick Mullen (Sep 05)