Difference between revisions of "HIDS 553"

From Atomicorp Wiki
Jump to: navigation, search
(Undo revision 1744 by Mshinn (talk))
Line 1: Line 1:
 
'''Rule ID'''  
 
'''Rule ID'''  
  
5703
+
553
  
 
'''Status'''
 
'''Status'''
  
Possible breakin attempt (high number of reverse lookup errors).
+
Active rule currently published.
  
 
'''Description'''   
 
'''Description'''   
  
This rule is detects when an application, such as sshd, has reported a high number of reverse lookup errors.  A reverse lookup error occurs when your application attempts to determine what the fully qualified DNS name is for an IP address, and then looks up the fully qualified name to see if it matches the IP addressIf they do not match, this may indicate that someone is spoofing the fully qualified domain name to try to trick your system into allowing them to log in.
+
This rule is detects when a monitored file has been deleted, and the system can not longer monitor it.  This may be non-malicious, or may indicate that unauthorized changes have occurred on your system.
  
For example, when this occurs with SSH you may see an error message such as this:
+
'''False Positives'''
  
servername sshd[12345]: reverse mapping checking getaddrinfo for www.example.com failed - POSSIBLE BREAK-IN ATTEMPT!
+
There is no known false positive for this rule. This rule detects when a file has been deleted, and therefore the system can no longer monitor it.
  
In this example, a system has connected to your ssh server.  That connection has an IP address.  For the purposes of example, lets say that IP address is 1.2.3.4.  The sshd service lookups that IP address, conducting what is called a "reverse lookup" to determine that the fully qualified domain name is for 1.2.3.4.  The DNS server for 1.2.3.4 returns the name "www.example.com".  Because anyone can return any name they want from a DNS server, this method is not an accurate way of determining if the answer is correctYou now have to reverse the process to see if "www.example.com" will resolve to 1.2.3.4.  The sshd service then conducts a DNS query to ask the authoritative DNS server for www.example.com what the IP address is for www.example.com.  If that DNS server returns an address that is different from 1.2.3.4, then the reverse mapping has failed.  1.2.3.4 is not the IP address for www.example.com, so someone may be trying to spoof the DNS address.  This could also occur if someone made a mistake with their DNS names.  Contact the DNS operators for both the domain name and IP address if you believe they have made a mistake.
+
If you believe that this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your systemInstructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.
 
+
'''False Positives'''
+
  
There are no known false positive for this rule.  This rule simply reports when your application reports that this has occurred.  If your application is in error, please contact your application vendor for assistance.  If the DNS servers are in error, please contact the DNS operators.  And if the DNS software is incorrectly reporting this information to your application, please contact your DNS vendor.
 
  
 
'''Tuning Recommendations'''
 
'''Tuning Recommendations'''
Line 27: Line 24:
 
'''Similar Rules'''
 
'''Similar Rules'''
  
 +
[[HIDS 550]]
  
 
'''Knowledge Base Articles'''
 
'''Knowledge Base Articles'''

Revision as of 19:36, 22 July 2011

Rule ID

553

Status

Active rule currently published.

Description

This rule is detects when a monitored file has been deleted, and the system can not longer monitor it. This may be non-malicious, or may indicate that unauthorized changes have occurred on your system.

False Positives

There is no known false positive for this rule. This rule detects when a file has been deleted, and therefore the system can no longer monitor it.

If you believe that this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.


Tuning Recommendations

None.

Similar Rules

HIDS 550

Knowledge Base Articles

None.

Outside References

Personal tools