This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dave
Contributor
‎2021-02-10 02:27 AM

IPS: Non Compliant DNS - illegal number of resource records

Getting IPS to drop DNS traffic for some of our machines, but not all.

There is not much info to find related to this, so i'm a bit stuck of where to start searching on what could be going wrong.

The packet capture in the Forensic Details isn't of much help either, as Wireshark will just tell that it's a malformed packet.

What's visible in the Follow TCP stream is this '.....dns.msftncsi.com...........'

Any further explanation or help on how to troubleshoot is appreciated.

0 Kudos
4 Replies
JanVC
Collaborator
‎2021-02-10 07:39 AM

I've seen these kind of drops before when DNS is being "abused" for other stuff, like FortiGate doing lookups for malicious IP's/URL's to their threat cloud

I think I also saw it for SfB txt records are something in that genre

0 Kudos
Dave
Contributor
‎2021-02-11 05:50 AM
In response to JanVC

To start off with, how did you troubleshoot this further?

The easy way to get around this would be to make an exception for the core protection on different vlans, but then you would miss the opportunity to detect this again, when actual and real potential misuse is taking place.

How did you resolve this in the end?

0 Kudos
JanVC
Collaborator
‎2021-02-11 06:19 AM
In response to Dave

for the FortiGate you can configure the lookup to use another port (I think 5555), that way it doesn't trigger the IPS protection anymore

for the skype, it's just something I saw in the logs, nobody mentioned an issue so no further investigation was done

 

I would start by identifying which source device is causing your logs (laptop/desktop/server/other firewall/...)

0 Kudos
Dave
Contributor
‎2021-06-17 08:10 AM

Coming back to myself on the forensics details of this IPS event, i now know what's the use of this is.

Host try to resolve this domain as a mechanism to check and let Windows know if they have internet connectivity or not.

The host resolves the domain, which holds a txt file that the resolving host than download. If this is successful, Windows now internet connectivity is fine.

Now the trouble lies in this mechanism, and that's why IPS event is triggered, or at least that's what i think.

Say an attacker inside your network can in some way poisen the DNS name dns.msftcsi.com and forward all traffic to a malicious domain, serving the same kind of textfile or maybe some script that let you download some sort of malware instead of a regular txt file that is been used for the connectivity mechanism Windows uses.

Does this sounds like a plausible story and is this the way why Checkpoint IPS got triggered, because it's intelligence knows about the potential misuse of the Windows internet connectivity mechanism?

 

 

Preview file
5 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events