SID 1:254

Report a false positive

Rule Category

PROTOCOL-DNS -- Snort alerted on a Domain Name Server (DNS) protocol issue. These packets travel over UDP on port 53 to serve DNS queries--user website requests through a browser. Several vulnerability use-cases exist (ie, additional data could be sent with a request, which would contact a DNS server pre-prepared to send information back and forth).

Alert Message

PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority

Rule Explanation

This event is generated when a DNS spoof query response is detected. Impact: Potentially Bad Traffic Details: Ease of Attack:

What To Look For

This event is generated when a DNS spoof query response is detected.

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

No rule groups

CVE

None

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None

MITRE ATT&CK Framework

Tactic: Initial Access

Technique: Spearphishing via Service

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org