cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1943
Views
0
Helpful
3
Replies
Highlighted
Beginner

Malware-Other dns request with long hostname segment detected

HI all,

 

I have noticed that I have many drops in Firesight Management Centre connection table.

The drops are between my Internal DNS and ISP's dns servers.

They are documented as "Malware-Other dns request with long hostname segment - possible data exfiltration attempt"

Periodically i have DNS issues where internal clients web browsing is slow of fails altogether.

Im unsure whether the browing issues are related to the connection table drops.

Any thoughts would be appreciated.

 

thanks

 

Ian

3 REPLIES 3
Cisco Employee

Re: Malware-Other dns request with long hostname segment detected

hello,

 

I think both would be related. Because if your internal DNS server is doing recursive query to your ISP DNS server which might be getting blocked, slow internet for users whose queries aren't solved would be expected.

Also the rule 

rule

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt"; sid:30881; gid:3; rev:4; classtype:attempted-recon; metadata:engine shared, soid 3|30881, service dns; )

 

is a pre-processor rule so you might want to investigate and check why the traffic is being blocked in first place.

Rate if its helpful.

Yogesh 

Beginner

Re: Malware-Other dns request with long hostname segment detected

Hi Yogesh,

 

Thanks for your input.

 

The internal DNS servers are protected by Sophos and the server team are adamanet that there are no issues with the Internal DNS servers are blame Firesight for the DNS problems.

 

Im unsure how to progress this and wonder whether I should disable this rule or not.

 

Ian

Beginner

Re: Malware-Other dns request with long hostname segment detected

I too would like some further understanding as to why these happen in almost every deployment with this rule enabled in the IPS.