Malware-Other dns request with long hostname segment detected

iwearing · ‎10-04-2017

HI all,

I have noticed that I have many drops in Firesight Management Centre connection table.

The drops are between my Internal DNS and ISP's dns servers.

They are documented as "Malware-Other dns request with long hostname segment - possible data exfiltration attempt"

Periodically i have DNS issues where internal clients web browsing is slow of fails altogether.

Im unsure whether the browing issues are related to the connection table drops.

Any thoughts would be appreciated.

thanks

Ian

yogdhanu · ‎10-08-2017

hello,

I think both would be related. Because if your internal DNS server is doing recursive query to your ISP DNS server which might be getting blocked, slow internet for users whose queries aren't solved would be expected.

Also the rule

rule	alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt"; sid:30881; gid:3; rev:4; classtype:attempted-recon; metadata:engine shared, soid 3\|30881, service dns; )

is a pre-processor rule so you might want to investigate and check why the traffic is being blocked in first place.

Rate if its helpful.

Yogesh

iwearing · ‎10-09-2017

Hi Yogesh,

Thanks for your input.

The internal DNS servers are protected by Sophos and the server team are adamanet that there are no issues with the Internal DNS servers are blame Firesight for the DNS problems.

Im unsure how to progress this and wonder whether I should disable this rule or not.

Ian

g-rant · ‎10-10-2017

I too would like some further understanding as to why these happen in almost every deployment with this rule enabled in the IPS.