This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection lists the dns server instead of the client

When a client tries to connect to a domain which is on the blacklist for command-and-control, he first starts a DNS query to our internal DNS Server. The DNS Server then starts his own query (in our environment directly to the DNS Server from the ISP). So this traffic is between the two DNS Servers, but because the domain name and the IP of the command-and-control server are in the traffic the query and the response the UTM generates the alert and lists our internal DNS server as infected host (a few pictures can be found here, sorry it’s in german)

In my opinion, it would be better to generate the alert and stop the connection in the next step, when the client REALLY tries to connect to the server and not during the DNS request to another DNS Server. Then the client would be the infected host in the logs. I had to enable DNS logs on the server to identify the affected host.

I am not sure if my considerations are right. If yes it would be a bug (the dns query without connecting to the command-and-control server shouldn’t generate an alert). Thanks for any help.

This thread was automatically locked due to age.

0 ckruesi over 8 years ago

Thanks for your answer. That's what I did. I was just wondering if this is a bug. The DNS query from my DNS Server to the UTM and from there to the DNS Server from the ISP doesn't connect to the command and control server. So there's no need for ATP making an alarm. When the client in the next step then tries to connect to the command and control server would be the right time for ATP to generate an alarm with the supposed infected client in the log.
But no Problem. Since I've enabled DNS logging I find the information about the client. Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 8 years ago

Your suggestion makes sense. Can you get that reported to Support as a bug?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 8 years ago

then this is a regression because ATP used to log the dns entires IF it was a dns related alert. It otherwise only logs the ips of the offending parties.

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel
0 Coder68 over 8 years ago

William,

How would the UTM know who made the DNS call if it is first made to the AD box, who then does the DNS call on behalf of the client? ("Proxied" DNS)

In my case only the UTM is used for DNS, so it is not an issue. (And I have a SecurityOnion box to capture DNS too.) I am just wondering, as we have a similar issue at my work. (But were not using Sophos)

Thanks,

C68
Cancel
Vote Up 0 Vote Down

Cancel
0 ckruesi over 8 years ago

Your suggestion makes sense. Can you get that reported to Support as a bug?

Thanks, Bob. I've sent an email to Sophos Support.

then this is a regression because ATP used to log the dns entires IF it was a dns related alert. It otherwise only logs the ips of the offending parties.

William, maybe the best way would be, if ATP would generate a log entry but not block the connection from DNS Server to DNS Server, because there's no traffic to a command-and-control server involved. So the client would get an answer for his DNS query and would then try to connect to the command-and-control server IP. This time ATP should block the connection and should log the involved client, because this time it is traffic to a command-and-control server and the log would show the infected client and not the not infected DNS server.
Cancel
Vote Up 0 Vote Down

Cancel
0 ckruesi over 8 years ago

Your suggestion makes sense. Can you get that reported to Support as a bug?
Thanks, Bob. I've sent an email to Sophos Support.

Sorry, that wasn't possible. I've got no premium Support. Maybe someone with premium support could do that...
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 8 years ago in reply to Coder68

[QUOTE=Coder68;305100]William,

How would the UTM know who made the DNS call if it is first made to the AD box, who then does the DNS call on behalf of the client? ("Proxied" DNS)

In my case only the UTM is used for DNS, so it is not an issue. (And I have a SecurityOnion box to capture DNS too.) I am just wondering, as we have a similar issue at my work. (But were not using Sophos)

Thanks,

C68[/QUOT

first you need to have the utm integrated into your ad environment and then use the request routing as i mentioned.

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel
0 ICT123 over 8 years ago

I am having the same issue, ATP is detecting 3 threats " C2/Generic-A ", and the User/Host is the IP address of the internal domain controller.

Can anyone advise how to identify the actual host with the infection through looking at the DNS server's log?
Cancel
Vote Up 0 Vote Down

Cancel
0 ckruesi over 8 years ago in reply to ICT123
Can anyone advise how to identify the actual host with the infection through looking at the DNS server's log?

I’ll try to do so.
DNS logging at the server has to be enabled, this is not by default.

The pictures are from my german blog entry: http://wp.me/p1Ml8G-12U

[LIST=1]
Look at the Advanced Threat Protection Log at the utm (https://ictschule.files.wordpress.com/2015/08/image15.png)
In the log you will find the host (your DNS Server) and the queried site (in my example the site cwporter.com) (https://ictschule.files.wordpress.com/2015/08/image16.png)
Go to your DNS Logs at the internal DNS Server and search for the DNS name (in my example cwporter.com) (https://ictschule.files.wordpress.com/2015/08/image17.png). There you will find the host, that tried to connect to the site.
[/LIST]
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 8 years ago

it looks like another configuration for dns is going to have to be tried. What i am going to try is integrating utm with AD and leveraging request routing. Then have the dhcp server point ALL dns to the UTM and see if utm will route internal requests to the AD and external through the internet forwarders. If htis works as i think it should this issue should be solved..[:)]

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel