topic OpenDNS Connector packets in OpenDNS

OpenDNS Connector packets

mcgoosh — Wed, 06 May 2015 16:50:12 GMT

We have 4 AD servers. 2 Server 2012. 2 Server 2012 R2. I am seeing some POST (HTTP) requests to our AVs.

I just wanted to confirm that the following packets are normal in regards to the OpenDNS connector. It's setting off IDS alerts on our box with the following alert:

2015-05-06T16:06:28-05:00 snort: [1:2013926:3] ET POLICY HTTP traffic on port 443 (POST) [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.211.15:65010 -> 192.168.211.9:443

I have attached the shots from Wireshark. When I follow the TCP stream I can see the data is as same as whats in the OpenDNSAuditClient log file.

POST /connectorlog/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 192.168.211.9:8080
Content-Length: 155

LogLine=[CON=(REMOVED)]5/6/2015 4:17:49 PM: QueryADUser SAMName is: (Removed) - Returned Query is:AD_ERR_OK DN is 61826383a8c7e24bb3102d55bcabaa54 (LOG_SAT)HTTP/1.1 200 OK
Server: (removed)
Date: Wed, 06 May 2015 10:05:33 GMT
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive

Info from log file:

5/6/2015 4:17:49 PM: QueryADUser SAMName is: (Removed) - Returned Query is:AD_ERR_OK DN is 61826383a8c7e24bb3102d55bcabaa54

We are a paranoid bunch around here so I just wanted to make sure everything is copacetic.

Thanks

shot2.jpg

Re: OpenDNS Connector packets

alexahar — Wed, 06 May 2015 20:00:23 GMT

That packet info looks right as it's gathering the audit log event from the DCs and pulling it into the OpenDNS setup on port 8080 which is the expected port between Connector and DC. The Connector will connect to each DC as well as each VA with a sync every login event.

Re: OpenDNS Connector packets

mcgoosh — Wed, 06 May 2015 20:24:56 GMT

Hi Alexander. Thank you for the response. That should put some minds at ease. Do you also know why its transmitting on port 443 in clear text?

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 192.168.211.9:443
Content-Length: 120

VERSION=1.0&Type=Login&Username=(removed)$&IP=192.168.211.15&DN=47f8080a5a748e016767405aae2714a4
HTTP/1.1 200 OK
Date: Wed, 06 May 2015 14:05:23 GMT
Content-Type: text/html
Connection: close
Content-Length: 12

Success!

shot3.jpg

Re: OpenDNS Connector packets

mcgoosh — Wed, 06 May 2015 20:42:50 GMT

Here is one that alarmed us a bit. As the IP its being sent to is not an IP in our range or related to us in any way.

shot4.jpg

Re: OpenDNS Connector packets

alexahar — Thu, 07 May 2015 23:44:23 GMT

The unencrypted traffic over port 443 would be over the internal network between the registered DCs and the Connector. I've responded to your support request so we can identify your settings and confirm some further information. The unexpected IP appears to be a spoofed login event on the DC login audit logs that the connector is passing along as expected. Each event you're seeing transmitted should match exactly with an login audit log event on the DC.

Re: OpenDNS Connector packets

mcgoosh — Fri, 08 May 2015 17:01:33 GMT

Thanks for the explanation. I appreciate the quick response.

Re: OpenDNS Connector packets

mcgoosh — Fri, 08 May 2015 20:39:25 GMT

The IP actually seemed to be a left over place holder in the OpenDNSAuditClient.exe. I was able to find the call in the SendTestLogin function: System.Diagnostics.Stopwatch

ldstr "TestUser"

ldstr "12.23.34.45"

ldstr "TestDn"