Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] DNS signature is marked as Severity:Major, but not found in predefined attack group

0

0

Article ID: KB31857 KB Last Updated: 29 Jun 2017Version: 1.0
Summary:
A signature shows up in output as Major Severity, but is not listed in the predefined attack group DNS - Major. This article explains how to check a signature and see its assigned attack group.
Symptoms:

Check the signature with the command show security idp attack detail.

This example will use DNS: ISC-BIND-CNAME-DNAME-DOS:
 
root@SRX-550-1> show security idp attack detail DNS:ISC-BIND-CNAME-DNAME-DOS
Display Name: DNS: ISC BIND Referral CNAME and DNAME Assertion Failure Denial of Service
Severity: Major
Category: DNS
 

It is showing under Category DNS and Severity: Major, however, it is not found in the predefined attack group DNS - Major  

root@SRX-550-1> file show /var/db/idpd/sets/idp1.set | find "DNS - Major"    
                                        :"DNS - Major" ("DNS - Major"

                                                :type (group)

                                                :group (

                                                        :members (

                                                                : ("DNS:BIND-RRSIG-QUERY-DOS")

                                                                : ("DNS:ISC-ASSERTION-DOS")

                                                                : ("DNS:ISC-BIND-RPZ-DOS")

                                                                : ("DNS:MUL-VEND-TXT-BOF")

                                                                : ("DNS:NGINX-RESOLVER-DOS")

                                                                : ("DNS:OVERFLOW:HOSTNAME-OF")

                                                                : ("DNS:OVERFLOW:NOOP-RQUERY")

                                                                : ("DNS:OVERFLOW:TRANSPOOF-3")

                                                                : ("DNS:PDNS-AUTHSERV-DOS")

                                                                : ("DNS:QUERY:BIND-IQUERY-BO")

                                                                : ("DNS:QUERY:NULL-QUERY")

                                                                : ("DNS:SYMANTEC-CACHE-POIS")>

                                                                : ("DNS:WORDPRESS-SOAK-SOAK-MALWARE")
Cause:
By its name, you might assume “DNS - Major” has all DNS signatures which are marked Major. However, there are three groups for major severity, as shown below:
  • DNS - Major = Client-to-Server + performance friendly
  • Response_DNS - Major = (Server-to-Client only signatures and STC with CTS) + Performance friendly
  • Misc_DNS - Major = (Client-to-Server OR Server-to-Client) + Performance intensive
 
The example signature DNS:ISC-BIND-CNAME-DNAME-DOS is part of Misc_DNS - Major, not part of DNS - Major.
 
root@SRX-550-2# > file show /var/db/idpd/sets/idp1.set | find Misc_DNS - Major
                                        :Misc_DNS - Major (Misc_DNS - Major
                                                :type (group)
                                                :group (
                                                        :members (
                                                                : (DNS:AUDIT:UNASSIGNED-OPCODE)
                                                                : (DNS:AUDIT:Z-RESERVED-OPT)
                                                                : (DNS:BIND-RRSIG-DOS-2)
                                                                : (DNS:BIND9-ASSERT-DOS)
                                                                : (DNS:DNAME-RESPONSE-DOS)
                                                                : (DNS:DYNAMICUPDATE)
                                                                : (DNS:EXPLOIT:BIND-KEYPARSE-DOS)
                                                                : (DNS:EXPLOIT:BIND-OPENPGPKEY-DOS)
                                                                : (DNS:EXPLOIT:CLIBCVE-2015-7547BO)
                                                                : (DNS:EXPLOIT:ISC-BIND-DNS64-RPZ)
                                                                : (DNS:EXPLOIT:LIBCVE-2015-7547BO2)
                                                                : (DNS:EXPLOIT:MS-WIN-NAT-HLPR-DOS)
                                                                : (DNS:ISC-BIND-ANY-DOS)
                                                                : (DNS:ISC-BIND-ASSERT-DOS)
                                                                :
 (DNS:ISC-BIND-CNAME-DNAME-DOS)
                                                                : (DNS:ISC-BIND-CVE-2016-9444-DOS)
                                                                : (DNS:ISC-BIND-DNSSEC-DOS)
                                                                : (DNS:ISC-BIND-DOS)

                                                                ……
Solution:
The user should check all three groups to understand which group the signature is from and add it to the proper group.

To add all DNS major signatures, include all three groups shown below:
  • DNS - Major
  • Response_DNS - Major
  • Misc_DNS - Major
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search