Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
5
Helpful
2
Replies

Intrusion Events

Go to solution
keithcclark71
Level 3
Level 3

‎12-02-2022 09:55 AM

Hey all I am getting intrusion events as shown in the below screenshot. These are known DNS servers and trusted. Can anyone tell me what is going on here and how I should try to remediate this??? I am at a loss

IntrusionEvents.jpg

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to manabans

‎12-05-2022 04:34 AM

Rather than disable the rule altogether, I would suggest whitelisting the Umbrella public DNS servers that are seen in the events you are showing. I highly doubt Umbrella is sending intrusion attempts into the private network via DNS replies. Instead, it is probably triggered by one of the fields in the DNS responses (such as TTL) having a low value for legitimate reasons.

View solution in original post

2 Replies 2

Go to solution
manabans
Cisco Employee
Cisco Employee

‎12-03-2022 09:24 PM

SID - 57756 - MALWARE-CNC DNS Fast Flux attempt
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"MALWARE-CNC DNS Fast Flux attempt"; flow:to_client; content:"|00 01|"; depth:2; offset:4; byte_test:2,>,1,0,relative; byte_test:1,=,1,2,bitmask 0x80; content:"|00 01 00 01|"; distance:6; content:"|00 01 00 01 00 00 00 05|"; distance:0; metadata:policy max-detect-ips drop, service dns; reference:url,attack.mitre.org/techniques/T1568/001/; classtype:trojan-activity; sid:57756; rev:2; gid:1; )

After reviewing the syntax and the connection events that you attached, the traffic does match the rule.

To remediate this, the intrusion rule (with SID 57756) needs to be disabled.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to manabans

‎12-05-2022 04:34 AM

Rather than disable the rule altogether, I would suggest whitelisting the Umbrella public DNS servers that are seen in the events you are showing. I highly doubt Umbrella is sending intrusion attempts into the private network via DNS replies. Instead, it is probably triggered by one of the fields in the DNS responses (such as TTL) having a low value for legitimate reasons.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card