fosiul01
asked on
Snort Rules :ET RBN Known Russian Business Network IP UDP
Hi
I know Why Snort is blocking the IP's .
but I am little bit of confused bout Source port and destination port for this attack
have a look bellow 2 log
15 2 UDP ET RBN Known Russian Business Network IP UDP (238) Misc Attack 192.168.1.67 39817 -> 82.146.55.35 53 1:2406475:193 09/06-15:36:05
16 2 UDP ET RBN Known Russian Business Network IP UDP (237) Misc Attack 192.168.1.7 1068 -> 82.146.33.103 53 1:2406473:193 09/06-15:35:54
Here : 192.168.1.67 is our Internal Dns server
and 192.168.1.7 is our Mail server.
in both log is showing , Destination port is 53 and Souce port is our network
to me it like, I am doing an attack to those IP's but snort is blocking those IP .
i just want to get an explanation .. why source port is our and destination port is those Ip .
note : I m not trying to edit or disable rules. here i am trying to understand, how this attack is happening / why source port is mine ?
thanks
I know Why Snort is blocking the IP's .
but I am little bit of confused bout Source port and destination port for this attack
have a look bellow 2 log
15 2 UDP ET RBN Known Russian Business Network IP UDP (238) Misc Attack 192.168.1.67 39817 -> 82.146.55.35 53 1:2406475:193 09/06-15:36:05
16 2 UDP ET RBN Known Russian Business Network IP UDP (237) Misc Attack 192.168.1.7 1068 -> 82.146.33.103 53 1:2406473:193 09/06-15:35:54
Here : 192.168.1.67 is our Internal Dns server
and 192.168.1.7 is our Mail server.
in both log is showing , Destination port is 53 and Souce port is our network
to me it like, I am doing an attack to those IP's but snort is blocking those IP .
i just want to get an explanation .. why source port is our and destination port is those Ip .
note : I m not trying to edit or disable rules. here i am trying to understand, how this attack is happening / why source port is mine ?
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
1 2 UDP ET RBN Known Russian Business Network IP UDP (238) Misc Attack 192.168.1.67 41989 -> 82.146.55.35 53 1:2406475:193 09/08-22:46:57 2 2 UDP ET RBN Known Russian Business Network IP UDP (238) Misc Attack 192.168.1.7 1068 -> 82.146.55.35 53 1:2406475:193 09/08-22:46:471
So look, same Rusian Ip,
one src ip is my dns server which is 192.168.1.67
and another one is 192.168.1.7 which is mail server
why src ip is my mail server ?? i am asking for a explanations
So look, same Rusian Ip,
one src ip is my dns server which is 192.168.1.67
and another one is 192.168.1.7 which is mail server
why src ip is my mail server ?? i am asking for a explanations
you (82.146.33.103) seem to be in all imaginable spam blacklists....
are you sure your mail server is secured well???
ben je in BE of ben je in LU?
are you sure your mail server is secured well???
ben je in BE of ben je in LU?
ASKER
no no this is not my ip !!!!
82.146.33.103
snort is blocking 82.146.33.103 ip as its a attack (rusian network)
what made me surprise is :
Why Source port is my server ??
15 2 UDP ET RBN Known Russian Business Network IP UDP (238) Misc Attack 192.168.1.67 39817 -> 82.146.55.35 53 1:2406475:193 09/06-15:36:05
16 2 UDP ET RBN Known Russian Business Network IP UDP (237) Misc Attack 192.168.1.7 1068 -> 82.146.55.35 53 1:2406473:193 09/06-15:35:54
if you look the above log
in both case ip 82.146.55.35 is the Destination(53) and 192.168.1.67 and 192.168.1.7 is the src .
thats the thing i trying to understand, why src port is our side
if russion network try to look for recursive dns server, then destination port would be us, and source port would be 82.146.55.35 ,
may be it works this way!! but since i dont know.. need an explanations
82.146.33.103
snort is blocking 82.146.33.103 ip as its a attack (rusian network)
what made me surprise is :
Why Source port is my server ??
15 2 UDP ET RBN Known Russian Business Network IP UDP (238) Misc Attack 192.168.1.67 39817 -> 82.146.55.35 53 1:2406475:193 09/06-15:36:05
16 2 UDP ET RBN Known Russian Business Network IP UDP (237) Misc Attack 192.168.1.7 1068 -> 82.146.55.35 53 1:2406473:193 09/06-15:35:54
if you look the above log
in both case ip 82.146.55.35 is the Destination(53) and 192.168.1.67 and 192.168.1.7 is the src .
thats the thing i trying to understand, why src port is our side
if russion network try to look for recursive dns server, then destination port would be us, and source port would be 82.146.55.35 ,
may be it works this way!! but since i dont know.. need an explanations
you need to see why your DNS tries to access spammer and who of your users tries to do this lookup....
ASKER
Thats the problem...
[**] [1:2406473:193] ET RBN Known Russian Business Network IP UDP (237) [**]
[Classification: Misc Attack] [Priority: 2]
09/09-11:00:37.720272 192.168.1.67:60681 -> 82.146.33.103:53
UDP TTL:64 TOS:0x0 ID:16939 IpLen:20 DgmLen:80
Len: 52
[Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork]
[**] [1:2406473:193] ET RBN Known Russian Business Network IP UDP (237) [**]
[Classification: Misc Attack] [Priority: 2]
09/09-11:00:42.812235 192.168.1.7:1068 -> 82.146.33.103:53
UDP TTL:128 TOS:0x0 ID:24159 IpLen:20 DgmLen:69
Len: 41
[Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork]
Here 192.168.1.7 ( SBS 2003,working as DNS but it has forwarder to 192.168.1.67 )
hence i guess i am seeing both Ips there .
i used pfsense with snort, so pfsense has blocked 82.146.33.103: this anyway .
but question is, why it sending dns query to 82.146.33.103
its not coming from any user computers ....
[**] [1:2406473:193] ET RBN Known Russian Business Network IP UDP (237) [**]
[Classification: Misc Attack] [Priority: 2]
09/09-11:00:37.720272 192.168.1.67:60681 -> 82.146.33.103:53
UDP TTL:64 TOS:0x0 ID:16939 IpLen:20 DgmLen:80
Len: 52
[Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork]
[**] [1:2406473:193] ET RBN Known Russian Business Network IP UDP (237) [**]
[Classification: Misc Attack] [Priority: 2]
09/09-11:00:42.812235 192.168.1.7:1068 -> 82.146.33.103:53
UDP TTL:128 TOS:0x0 ID:24159 IpLen:20 DgmLen:69
Len: 41
[Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork]
Here 192.168.1.7 ( SBS 2003,working as DNS but it has forwarder to 192.168.1.67 )
hence i guess i am seeing both Ips there .
i used pfsense with snort, so pfsense has blocked 82.146.33.103: this anyway .
but question is, why it sending dns query to 82.146.33.103
its not coming from any user computers ....
ASKER
have a look to this question. see if that make sense
https://www.experts-exchange.com/questions/26461312/Why-Windows-Server-sent-dns-query-to-Russian-Network.html
https://www.experts-exchange.com/questions/26461312/Why-Windows-Server-sent-dns-query-to-Russian-Network.html
ASKER
i know its look for recursive dns server.
but what i dont understand why and how its touching my mail server,
look at this log
6 2 UDP ET RBN Known Russian Business Network IP UDP (237) Misc Attack 192.168.1.7 1068 -> 82.146.33.103 53 1:2406473:193 09/06-15:35:54
192.167.1.7 is my mail server
thats bugging me ..