03-02-2018 02:46 AM - edited 02-21-2020 07:27 AM
Hello all
We are in the middle of deploying an FTD with IPS for a project. We have seen a large number of the following violations in the IPS event log:
Message |
Priority |
Classification |
PROTOCOL-DNS dns response for rfc1918 172.16/12 address detected (1:15934:11) |
high |
Potential Corporate Policy Violation |
PROTOCOL-DNS dns response for rfc1918 10/8 address detected (1:13249:14) |
high |
Potential Corporate Policy Violation |
Having read the SNORT documentation for each of these I think I know what the issue, but my confidence level is not very high & would appreciate some advice from some more seasoned veterans.
Our setup is such that we have defined our HOME_NET variable as the 10/8 network, and left the EXTERNAL variable at 0.0.0.0/0. What seems to be triggering the above violations is when a server receives a response to a DNS query that contains a 172.x.x.x address. I think it may have something to do with how we have set our variables. Could it be that adding the 172/12 network to our HOME_NET variable set could fix this issue?
Thank you.
03-02-2018 02:51 AM
03-02-2018 02:58 AM
Thank you pazzi for your swift response
That was as I suspected, partly. The 172/12 is legitimately part of our internal network so it makes sense we would include it as part of the HOME_NET variable. I say partly as I wasn't aware we would also need to explicitly exclude it from the EXTERNAL variable.
In your opinion does it make sense that the violation we are seeing is therefore a result of not setting our variable set(s) correctly?
Thank you.
03-02-2018 03:02 AM
03-02-2018 03:04 AM
Thank you Paul
Appreciate the speedy responses. We'll look into this and update this thread with the findings.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: