RE: [security-onion] odd DNS related alerts from my sensors?
1,563 views
Skip to first unread message
Castle, Shane
Oct 31, 2012, 3:58:29 PM10/31/12
to securit...@googlegroups.com
Well, it's not "normal"; hence the alerts. What's "normal" on your network may vary, however.
You can examine the dns logs produced by Bro and see pretty much all the DNS queries that were detected crossing your monitored interfaces. Checking them with Doug's DNS anomalies script (http://code.google.com/p/security-onion/wiki/DNSAnomalyDetection) can reveal things you had no idea were going on.
There is a shocking number of devices that don't implement DNS right, and a surprising number of admins who don't do it right, either. I had thought I was doing it right before, but since running Bro and SO, I have become more humble about that :/.
Just one example: the alert concerning localhost.DOMAIN.TLD (ET 1:2011802 it seems) indicates a device that doesn't realize that the localhost.x.x FQDN is itself, and tries to look it up in DNS. That should not happen, and so this IP address belongs to a misconfigured or broken device.
--
Shane Castle
Data Security Mgr, Boulder County IT
-----Original Message-----
From: securit...@googlegroups.com [mailto:securit...@googlegroups.com] On Behalf Of coriumintl
Sent: Wednesday, October 31, 2012 13:08
To: securit...@googlegroups.com
Subject: [security-onion] odd DNS related alerts from my sensors?
I'm not sure why I'm seeing alerts like ET POLICY Unusual number of DNS No Such Name Responses and ET DNS DNS Lookup for localhost.DOMAIN.TLD from the ip's of my sensor's management adapters.
Any feedback as to this being normal or what it might be?
--
You can examine the dns logs produced by Bro and see pretty much all the DNS queries that were detected crossing your monitored interfaces. Checking them with Doug's DNS anomalies script (http://code.google.com/p/security-onion/wiki/DNSAnomalyDetection) can reveal things you had no idea were going on.
There is a shocking number of devices that don't implement DNS right, and a surprising number of admins who don't do it right, either. I had thought I was doing it right before, but since running Bro and SO, I have become more humble about that :/.
Just one example: the alert concerning localhost.DOMAIN.TLD (ET 1:2011802 it seems) indicates a device that doesn't realize that the localhost.x.x FQDN is itself, and tries to look it up in DNS. That should not happen, and so this IP address belongs to a misconfigured or broken device.
--
Shane Castle
Data Security Mgr, Boulder County IT
-----Original Message-----
From: securit...@googlegroups.com [mailto:securit...@googlegroups.com] On Behalf Of coriumintl
Sent: Wednesday, October 31, 2012 13:08
To: securit...@googlegroups.com
Subject: [security-onion] odd DNS related alerts from my sensors?
I'm not sure why I'm seeing alerts like ET POLICY Unusual number of DNS No Such Name Responses and ET DNS DNS Lookup for localhost.DOMAIN.TLD from the ip's of my sensor's management adapters.
Any feedback as to this being normal or what it might be?
--
Reply all
Reply to author
Forward
0 new messages