[Oisf-users] What does this message mean?

robert.jamison at bt.com robert.jamison at bt.com
Mon Jun 29 18:35:49 EDT 2015 

>>How is this a problem?
If the response triggering this alert is indeed to a legitimate DNS request, your IDS might only be seeing traffic going one-way across a network span *this is more frequently see with half-open SYN alerts*

>> What kind of attack or intrusion is implied by a (seemingly) spurious response?
Too many of these and you could have a DoS condition; https://www.us-cert.gov/ncas/alerts/TA13-088A
could also be an attacker probing to see how devices on the network response to unsolicited DNS responses

Then there are the specific BIND vulnerabilities here, but most of them are for crafted packets (which the responses may be IN ADDITION to the fact they were unsolicited):

https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html

Rob

-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of James Moe
Sent: Monday, June 29, 2015 6:21 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] What does this message mean?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/29/2015 11:01 AM, Andreas Moe wrote:
> Firstly the rule itself in the suricata rules folder (as defined in 
> the suricata config) will show what this rule will trigger on.
> 
alert dns any any -> any any (msg:"SURICATA DNS Unsollicited response"; flow:to_client; app-layer-event:dns.unsollicited_response;
sid:2240001; rev:1;)
  The rule says the same thing as the comment (also misspelled). No further info here.
  The docs say much the same as your post: "Look at the rule; it is so informative."

> Comments are usualy provided [...]
> 
  Not in this case. Or most other rules that I have read.
  My questions are:
- - How is this a problem?
- - What kind of attack or intrusion is implied by a (seemingly) spurious response?

- --
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlWRxLkACgkQzTcr8Prq0ZMuvgCfdZv8b14p2ccEO2NxWxAl0UZC
nb8An2aJCsAv76kNmUup91l9DqfVM9bU
=5H+T
-----END PGP SIGNATURE-----
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

More information about the Oisf-users mailing list