Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8640
Views
20
Helpful
5
Replies

What does "BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba (1:31600)" mean?

Go to solution
rweir0001
Level 1
Level 1

‎07-05-2016 08:42 AM - edited ‎03-10-2019 06:38 AM

I have a Cisco ASA5516x w/ FirePOWER with an IPS license installed and I am trying to determine what this Impact 1 alert means:

BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba (1:31600)

The source looks like it is coming from DNS servers on the internet:

208.67.220.220

208.67.222.222

4.2.2.6

204.117.214.10


The destination is our domain controllers that are configured to be our DNS servers. I'm just trying to figure out what this alert really means? The classification is "A Network Trojan was Detected", but does that mean that a user tried to resolve a DNS record to a site that has been flagged as malicious, or that they have malware on their PC that is trying to connect a Command & Control server out in the wild? To be clear the ingress for these alerts are out Outside interface and the egress is our Inside interface. If anyone can provide a clear explanation for these alerts it would be greatly appreciated. Thanks!

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yogdhanu
Cisco Employee
Cisco Employee

‎07-05-2016 05:19 PM

Hi

It does not necessarily mean that the PC or DC are infected. This rule is for reverse DNS lookup.

With the source and destination, it could just be a packet which is the reply of reverse DNS lookup request . Now why would that request be sent in first place is an question and worth investigation.

 

flow:to_client; content:"|07|spheral|02|ru|00|"; fast_pattern:only;

You can check download packet capture in the rule event and check the IP address for which is resolved for  spheral.ru  and then identify which PC initiated the request.

Sometimes it could be an AV or security product trying to do reverse DNS lookup for a suspicious IP.

Rate if helps.

Yogesh

View solution in original post

5 Replies 5

Go to solution
yogdhanu
Cisco Employee
Cisco Employee

‎07-05-2016 05:19 PM

Hi

It does not necessarily mean that the PC or DC are infected. This rule is for reverse DNS lookup.

With the source and destination, it could just be a packet which is the reply of reverse DNS lookup request . Now why would that request be sent in first place is an question and worth investigation.

 

flow:to_client; content:"|07|spheral|02|ru|00|"; fast_pattern:only;

You can check download packet capture in the rule event and check the IP address for which is resolved for  spheral.ru  and then identify which PC initiated the request.

Sometimes it could be an AV or security product trying to do reverse DNS lookup for a suspicious IP.

Rate if helps.

Yogesh

Go to solution
rweir0001
Level 1
Level 1
In response to yogdhanu

‎07-06-2016 07:17 AM

Thanks, Yogesh!

0 Helpful

Go to solution
JBL0w3ryLLC
Level 1
Level 1
In response to yogdhanu

‎08-26-2016 08:13 AM

I had posted briefly that we began seeing additional, internal logs regarding these reverse DNS queries, but Solarwinds support said they were just internal DNS queries that resulted from the syslogs sent from FireSight. I still suggest careful vigilance, as always. 

0 Helpful

Go to solution
pahsative
Level 1
Level 1
In response to yogdhanu

‎10-12-2017 11:19 AM

If the packet is dropped, how can I confirm that another sercurity tool or AV is responsible for the reverse DNS lookup?

0 Helpful

Go to solution
tjohnson@reliant-cap.com
Level 1
Level 1
In response to yogdhanu

‎09-24-2018 07:14 AM

How do you identify which PC initiated the DNS request?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card