Solved

Snort Rules :ET RBN Known Russian Business Network IP UDP

Posted on 2010-09-06
8
2,286 Views
Last Modified: 2013-11-29
Hi
I know Why Snort is blocking the IP's .
but I am little bit of confused bout Source port and destination port for this attack


have a look bellow 2 log


15        2        UDP        ET RBN Known Russian Business Network IP UDP (238)         Misc Attack        192.168.1.67        39817        ->        82.146.55.35        53        1:2406475:193        09/06-15:36:05
16       2       UDP       ET RBN Known Russian Business Network IP UDP (237)       Misc Attack       192.168.1.7       1068       ->       82.146.33.103       53       1:2406473:193       09/06-15:35:54


Here : 192.168.1.67 is our Internal Dns server
and  192.168.1.7 is our Mail server.

in both log is showing , Destination port is 53 and Souce port is our network

to me it like, I am doing an attack to those IP's but snort is blocking those IP .

i just want to get an explanation .. why source port is our and destination port is those Ip .


note : I m not trying to edit or disable rules. here i am trying to understand, how this attack is happening / why source port is mine ?

thanks
0
Comment
Question by:fosiul01
  • 5
  • 3
8 Comments
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 33615575
they scan for recursive DNS servers. If you do not have one "error" messages are simple background noise.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33631890
Hi sorry for late reply

i know its look for recursive dns server.

but what i dont understand why and how its touching my mail server,

look at this log

6       2       UDP        ET RBN Known Russian Business Network IP UDP (237)       Misc  Attack       192.168.1.7       1068       ->       82.146.33.103        53       1:2406473:193       09/06-15:35:54


192.167.1.7 is my mail server

thats bugging me ..

0
 
LVL 29

Author Comment

by:fosiul01
ID: 33631910
1                        2                        UDP                        ET RBN Known Russian Business Network IP UDP (238)                         Misc Attack                        192.168.1.67                        41989                        ->                        82.146.55.35                        53                        1:2406475:193                        09/08-22:46:57                                                2                        2                        UDP                        ET RBN Known Russian Business Network IP UDP (238)                         Misc Attack                        192.168.1.7                        1068                        ->                        82.146.55.35                        53                        1:2406475:193                        09/08-22:46:471



So look, same Rusian Ip,

one src ip is my dns server which is 192.168.1.67
and another one is 192.168.1.7 which is mail server

why src ip is my mail server ?? i am asking for a explanations

0
 
LVL 61

Expert Comment

by:gheist
ID: 33634452
you (82.146.33.103) seem to be in all imaginable spam blacklists....
are you sure your mail server is secured well???
ben je in BE of ben je in LU?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 29

Author Comment

by:fosiul01
ID: 33634727
no no this is not my ip  !!!!

82.146.33.103

snort is blocking 82.146.33.103 ip as its a attack (rusian network)

what made me surprise is :

Why Source port is my server  ??



15        2         UDP        ET RBN Known Russian Business Network IP UDP (238)          Misc Attack        192.168.1.67        39817        ->         82.146.55.35        53        1:2406475:193        09/06-15:36:05

16        2       UDP       ET RBN Known Russian Business Network IP UDP  (237)       Misc Attack       192.168.1.7       1068       ->        82.146.55.35       53       1:2406473:193       09/06-15:35:54


if you look the above log

in both case ip 82.146.55.35 is the Destination(53) and  192.168.1.67 and 192.168.1.7  is the src .


thats the thing i trying to understand, why src port is our side

if russion network try to look for recursive dns server, then destination port would be us, and source port would be 82.146.55.35 ,

may be it works this way!! but since i dont know.. need an explanations



0
 
LVL 61

Expert Comment

by:gheist
ID: 33634967
you need to see why your DNS tries to access spammer and who of your users tries to do this lookup....
0
 
LVL 29

Author Comment

by:fosiul01
ID: 33635048
Thats the problem...


[**] [1:2406473:193] ET RBN Known Russian Business Network IP UDP (237) [**]
[Classification: Misc Attack] [Priority: 2]
09/09-11:00:37.720272 192.168.1.67:60681 -> 82.146.33.103:53
UDP TTL:64 TOS:0x0 ID:16939 IpLen:20 DgmLen:80
Len: 52
[Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork]

[**] [1:2406473:193] ET RBN Known Russian Business Network IP UDP (237) [**]
[Classification: Misc Attack] [Priority: 2]
09/09-11:00:42.812235 192.168.1.7:1068 -> 82.146.33.103:53
UDP TTL:128 TOS:0x0 ID:24159 IpLen:20 DgmLen:69
Len: 41
[Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork]


Here 192.168.1.7 ( SBS 2003,working as DNS but it has forwarder to 192.168.1.67 )
hence i guess i am seeing both Ips there .


i used pfsense with snort, so pfsense has blocked 82.146.33.103: this anyway .

but question is, why it sending dns query to 82.146.33.103


its not coming from any user computers ....


0
 
LVL 29

Author Comment

by:fosiul01
ID: 33635600
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now