PROTOCOL-DNS -- Snort alerted on a Domain Name Server (DNS) protocol issue. These packets travel over UDP on port 53 to serve DNS queries--user website requests through a browser. Several vulnerability use-cases exist (ie, additional data could be sent with a request, which would contact a DNS server pre-prepared to send information back and forth).
PROTOCOL-DNS dns response for rfc1918 192.168/16 address detected
This event is generated when an RFC 1918 non-routable address is seen in a DNS response to an external query. Impact: Intelligence gathering activity Details: RFC 1918 address space is non-routable address space meant to be used on internal networks. These addresses are non-routable across the Internet. An address of this type should never be seen in a DNS response to a query originating from sources external to the protected network. Ease of Attack: Simple
This event is generated when an RFC 1918 non-routable address is seen in a DNS response to an external query.
No public information
Known false positives, with the described conditions
If the EXTERNAL_NET variable is not set to be outside the protected internal network space or if the sensor is being used on an internal segment inside RFC 1918 address space this rule will generate events. Otherwise there are no known false positive situations.
Cisco Talos
No rule groups
None
No information provided
None
Tactic: Discovery
Technique: Drive-by Compromise
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
