Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2031
Views
0
Helpful
4
Replies

PROTOCOL-DNS dns response for rfc1918 Violation

Devlin Thornicroft
Level 1
Level 1

‎03-02-2018 02:46 AM - edited ‎02-21-2020 07:27 AM

Hello all

 

We are in the middle of deploying an FTD with IPS for a project. We have seen a large number of the following violations in the IPS event log:

 

Message

Priority

Classification

PROTOCOL-DNS dns response for rfc1918 172.16/12 address detected (1:15934:11)

high

Potential Corporate Policy Violation

PROTOCOL-DNS dns response for rfc1918 10/8 address detected (1:13249:14)

high

Potential Corporate Policy Violation

 

Having read the SNORT documentation for each of these I think I know what the issue, but my confidence level is not very high & would appreciate some advice from some more seasoned veterans.

 

Our setup is such that we have defined our HOME_NET variable as the 10/8 network, and left the EXTERNAL variable at 0.0.0.0/0. What seems to be triggering the above violations is when a server receives a response to a DNS query that contains a 172.x.x.x address. I think it may have something to do with how we have set our variables. Could it be that adding the 172/12 network to our HOME_NET variable set could fix this issue?

Thank you.

Labels:
0 Helpful
4 Replies 4

pazzi
Cisco Employee
Cisco Employee

‎03-02-2018 02:51 AM

Hi Devlin

Your home_net should include all the network addresses that this sensor is protecting.
Your external_net should exclude your home_net.

Thanks
0 Helpful

Devlin Thornicroft
Level 1
Level 1
In response to pazzi

‎03-02-2018 02:58 AM

Thank you pazzi for your swift response

 

That was as I suspected, partly. The 172/12 is legitimately part of our internal network so it makes sense we would include it as part of the HOME_NET variable. I say partly as I wasn't aware we would also need to explicitly exclude it from the EXTERNAL variable.


In your opinion does it make sense that the violation we are seeing is therefore a result of not setting our variable set(s) correctly?

 

Thank you.

0 Helpful

pazzi
Cisco Employee
Cisco Employee
In response to Devlin Thornicroft

‎03-02-2018 03:02 AM

Yes, could be.
Many snort rules trigger based on server replies.
Incorrect values to variable sets can generate false positives.

Paul
0 Helpful

Devlin Thornicroft
Level 1
Level 1
In response to pazzi

‎03-02-2018 03:04 AM

Thank you Paul


Appreciate the speedy responses. We'll look into this and update this thread with the findings.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card