https://community.cisco.com/t5/endpoint-security/malware-other-dns-request-with-long-hostname-segment-detected/m-p/3193536#M4442 <P>HI all,</P> <P>&nbsp;</P> <P>I have noticed that I have many drops in Firesight Management Centre connection table.</P> <P>The drops are between my Internal DNS and ISP's dns servers.</P> <P>They are documented as "Malware-Other dns request with long hostname segment - possible data exfiltration attempt"</P> <P>Periodically i have DNS issues where internal clients web browsing is slow of fails altogether.</P> <P>Im unsure whether the browing issues are related to the connection table drops.</P> <P>Any thoughts would be appreciated.</P> <P>&nbsp;</P> <P>thanks</P> <P>&nbsp;</P> <P>Ian</P> Sat, 09 Mar 2019 01:44:36 GMT iwearing 2019-03-09T01:44:36Z https://community.cisco.com/t5/endpoint-security/malware-other-dns-request-with-long-hostname-segment-detected/m-p/3193536#M4442 <P>HI all,</P> <P>&nbsp;</P> <P>I have noticed that I have many drops in Firesight Management Centre connection table.</P> <P>The drops are between my Internal DNS and ISP's dns servers.</P> <P>They are documented as "Malware-Other dns request with long hostname segment - possible data exfiltration attempt"</P> <P>Periodically i have DNS issues where internal clients web browsing is slow of fails altogether.</P> <P>Im unsure whether the browing issues are related to the connection table drops.</P> <P>Any thoughts would be appreciated.</P> <P>&nbsp;</P> <P>thanks</P> <P>&nbsp;</P> <P>Ian</P> Sat, 09 Mar 2019 01:44:36 GMT https://community.cisco.com/t5/endpoint-security/malware-other-dns-request-with-long-hostname-segment-detected/m-p/3193536#M4442 iwearing 2019-03-09T01:44:36Z https://community.cisco.com/t5/endpoint-security/malware-other-dns-request-with-long-hostname-segment-detected/m-p/3195517#M4444 <P>hello,</P> <P>&nbsp;</P> <P>I think both would be related. Because if your internal DNS server is doing recursive query to your ISP DNS server which might be getting blocked, slow internet for users whose queries aren't solved would be expected.</P> <P>Also the rule&nbsp;</P> <TABLE class="entry-table" cellspacing="4"> <TBODY> <TR> <TD class="label">rule</TD> <TD> <P>alert udp $HOME_NET any -&gt; $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt"; sid:30881; gid:3; rev:4; classtype:attempted-recon; metadata:engine shared, soid 3|30881, service dns; )</P> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>is a pre-processor rule so you might want to investigate and check why the traffic is being blocked in first place.</P> <P>Rate if its helpful.</P> <P>Yogesh&nbsp;</P> Sun, 08 Oct 2017 08:07:59 GMT https://community.cisco.com/t5/endpoint-security/malware-other-dns-request-with-long-hostname-segment-detected/m-p/3195517#M4444 yogdhanu 2017-10-08T08:07:59Z https://community.cisco.com/t5/endpoint-security/malware-other-dns-request-with-long-hostname-segment-detected/m-p/3195834#M4445 <P>Hi Yogesh,</P> <P>&nbsp;</P> <P>Thanks for your input.</P> <P>&nbsp;</P> <P>The internal DNS servers are protected by Sophos and the server team are adamanet that there are no issues with the Internal DNS servers are blame Firesight for the DNS problems.</P> <P>&nbsp;</P> <P>Im unsure how to progress this and wonder whether I should disable this rule or not.</P> <P>&nbsp;</P> <P>Ian</P> Mon, 09 Oct 2017 08:54:38 GMT https://community.cisco.com/t5/endpoint-security/malware-other-dns-request-with-long-hostname-segment-detected/m-p/3195834#M4445 iwearing 2017-10-09T08:54:38Z https://community.cisco.com/t5/endpoint-security/malware-other-dns-request-with-long-hostname-segment-detected/m-p/3196801#M4447 <P>I too would like some further understanding as to why these happen in almost every deployment with this rule enabled in the IPS.</P> Wed, 11 Oct 2017 01:35:17 GMT https://community.cisco.com/t5/endpoint-security/malware-other-dns-request-with-long-hostname-segment-detected/m-p/3196801#M4447 g-rant 2017-10-11T01:35:17Z