This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Excessive IPS detections

Donde D over 4 years ago

Hi,

I was wondering if anyone else has experienced a ramp up in the last few days on UTM9 appliances with the IPS module.

As of a few days now, my IPS attack detections have gone up ten-fold.

I spotted a particular signature triggering these detections;

44077

INDICATOR-COMPROMISE Suspicious .win dns query

After investigating the sources causing the triggers to go off (DC/DNS servers), all seems normal and nothing was changed on them to warrant such activity.

Were there some changes made to the IPS signatures recently that could be causing this?

Thank you!

This thread was automatically locked due to age.

0 BAlfson over 4 years ago

Salut Donde,

This appears to be your internal DNS trying to get name resolution for ???.???.win, a top-level-domain known to be used frequently by bot-masters. The DNS log in your DC should be able to identify the infected device.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Donde D over 4 years ago in reply to BAlfson

Many thanks for that pointer Bob.

I have turned on debugging for UDP requests and will wait and see.

Was quiet today - which leads to me to think it might be indeed an infected device somewhere and not a signature false-positive.

Will post my findings.
Cancel
Vote Up 0 Vote Down

Cancel