C2-Domains in Host Alias cause false positives 💀

Started by guru_meditation, January 23, 2025, 01:55:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 23, 2025, 01:55:02 PM Last Edit: January 23, 2025, 02:15:07 PM by guru_meditation
Hi,

first of all I want to thank you for developing OPNSense. You are doing a super job!
We migrated from pfSense and operate several OPNSense instances today.

This post is about false positives caused by C2-Domains in a HOST ALIAS,
which is used by a floating rule to block traffic and log it.
Let me explain.

1. We observed (few weeks ago) a stealer alert by Suricata.
2. To minimize risk, we gathered C2 domain names (of Lumma Stealer, in our case) to check for suspicious outbound traffic.
3. I created a host alias and added the C2 domains
4. Added a floating block rule using this alias
5. As a result, we continuously saw blocked C2 traffic in firewall and unbound logs
6. We interpreted those as a sign of either compromised hosts or even the OPNSense being compromised

I nearly got crazy.
We had shutdown development and production networks for weeks.
Despite full-on scanning an manual investigation, we still had no proof of actually compromised hosts.


Then, I found the reason:
OPNSense checks domains in an host alias every 300 seconds. 💡
Source: https://docs.opnsense.org/manual/aliases.html
I could reproduce this behaviour.


I have the following questions:

1. Would it be possible to add a hint in the UI to inform users of this behaviour?
2. Howto block&log C2 domains without leaking (at least this seems to happen) the domains and getting confusing behaviour?
3. Is it possible to disable polling every 300 seconds?     


I hope I have not overlooked an existing forum entry.
If so, please excuse :-)
January 23, 2025, 02:20:07 PM #1 Last Edit: January 23, 2025, 02:24:16 PM by Seimus
I understand your standpoint but;

Quote1. Would it be possible to add a hint in the UI to inform users of this behavior?
Why?

We have the documentation for it, if you are going to implement something it should be studied against the documentation, what it does, how it does and how it behaves.

The hint could be implemented but wouldnt that be creating just redundant information that is already provided in the docs?

Quote2. Is there a better way to achieve the same goal without leaking (at least this seems to happen) the domains and getting confusing behaviour?
You mean the alias is leaking the domains? Or what do you mean by leaking?

For the first, I would not say it does any leaking. It just resolved the domain to get a valid updated IP, the FW does DNS queries for these domains towards the configured DNS server. If you put in a domain example.com, you need its IP on which the Rules can perform the action. If the logging bother you you can disable the logging of the floating rule into the live log.

But how did you setup the floating rule? If the DNS queries for this alias are made they can not hit the rule, because the actual domain query is in the payload not in the header.

If you dont want to have these resolved via DNS, you would have use IP based alias but then how you keep it updated?

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
January 23, 2025, 03:59:30 PM #2
That's expected behavior from the firewall component. It cannot filter based on hostnames but only on IPs and ports.
You should use a DNS blocklist with unbound for your purpose. That way you won't get these expected name resolutions.
Print
Go Up Pages1
User actions