Difference between revisions of "HIDS 5703"
m |
|||
Line 9: | Line 9: | ||
'''Description''' | '''Description''' | ||
− | This rule | + | This rule detects when an application, such as sshd, reports a high number of reverse lookup errors. The application performs the reverse lookup (not ASL), and reports that the reverse lookups mapping has failed. |
+ | |||
+ | A reverse lookup error occurs when your application attempts to determine what the fully qualified domain name (FQDN) is for an IP address. It then looks up the fully qualified name to see that name matches the IP address returned for the reverse lookup. If they do not match, this is a reverse mapping error. This may indicate that someone is spoofing the fully qualified domain name to try to trick your system into allowing them to log in. | ||
For example, when an application such as SSH generates an error message such as this: | For example, when an application such as SSH generates an error message such as this: | ||
Line 15: | Line 17: | ||
servername sshd[12345]: reverse mapping checking getaddrinfo for www.example.com failed - POSSIBLE BREAK-IN ATTEMPT! | servername sshd[12345]: reverse mapping checking getaddrinfo for www.example.com failed - POSSIBLE BREAK-IN ATTEMPT! | ||
− | + | A system has connected to your ssh server, in this case lets say the systems IP address is 1.2.3.4. The sshd service then performs what is called a "reverse lookup" on the IP address, to determine what the fully qualified domain name is for 1.2.3.4. The DNS server, in this example, claims that the FQDN for 1.2.3.4 is "www.example.com". Because anyone can return any FQDN they want from their DNS server (even a fake one.), this method alone is not an accurate way of determining if the answer is correct. To verify the answer, the process now needs to be reversed. So in this example, sshd then conducts a DNS query to ask the authoritative DNS server for www.example.com what the IP address is for www.example.com. If that DNS server returns an address that is different from 1.2.3.4, say 4.5.6.7, then the reverse mapping has failed. The IP address for www.example.com is 4.5.6.7, not 1.2.3.4. So 1.2.3.4 is not www.example.com. This could mean that someone is to spoof the www.example.com DNS address. | |
+ | |||
+ | This could also occur if someone made a mistake with their DNS names, or what sometimes occurs is that the two records are sometimes not kept up to date. If you believe that is the case, contact the DNS operators for both the domain name and IP address. | ||
'''False Positives''' | '''False Positives''' |
Latest revision as of 20:17, 22 July 2011
Rule ID
5703
Status
Possible breakin attempt (high number of reverse lookup errors).
Description
This rule detects when an application, such as sshd, reports a high number of reverse lookup errors. The application performs the reverse lookup (not ASL), and reports that the reverse lookups mapping has failed.
A reverse lookup error occurs when your application attempts to determine what the fully qualified domain name (FQDN) is for an IP address. It then looks up the fully qualified name to see that name matches the IP address returned for the reverse lookup. If they do not match, this is a reverse mapping error. This may indicate that someone is spoofing the fully qualified domain name to try to trick your system into allowing them to log in.
For example, when an application such as SSH generates an error message such as this:
servername sshd[12345]: reverse mapping checking getaddrinfo for www.example.com failed - POSSIBLE BREAK-IN ATTEMPT!
A system has connected to your ssh server, in this case lets say the systems IP address is 1.2.3.4. The sshd service then performs what is called a "reverse lookup" on the IP address, to determine what the fully qualified domain name is for 1.2.3.4. The DNS server, in this example, claims that the FQDN for 1.2.3.4 is "www.example.com". Because anyone can return any FQDN they want from their DNS server (even a fake one.), this method alone is not an accurate way of determining if the answer is correct. To verify the answer, the process now needs to be reversed. So in this example, sshd then conducts a DNS query to ask the authoritative DNS server for www.example.com what the IP address is for www.example.com. If that DNS server returns an address that is different from 1.2.3.4, say 4.5.6.7, then the reverse mapping has failed. The IP address for www.example.com is 4.5.6.7, not 1.2.3.4. So 1.2.3.4 is not www.example.com. This could mean that someone is to spoof the www.example.com DNS address.
This could also occur if someone made a mistake with their DNS names, or what sometimes occurs is that the two records are sometimes not kept up to date. If you believe that is the case, contact the DNS operators for both the domain name and IP address.
False Positives
There are no known false positive for this rule. This rule simply reports when your application reports that this has occurred. If your application is in error, please contact your application vendor for assistance. If the DNS servers are in error, please contact the DNS operators. And if the DNS software is incorrectly reporting this information to your application, please contact your DNS vendor.
Tuning Recommendations
None.
Similar Rules
Knowledge Base Articles
None.
Outside References
Notes
ASL has no control over the message generated by your application (in this case sshd). This messages generated by an application and neither generated by ASL, nor is this something ASL can control. ASL is just listening to what you application is "saying", analyzing the "message" and then reporting its significance to you you based on its internal understanding of those messages, and other events that may (or may not) be occurring on the system.