Someone may find this information useful...
Yeah.. so Ive gone a bit paranoid with all the ransomware attacks... revisited my firewall rules and IPS rules for cleanup...
To be safe I activated ALL the IPS rules... any way, all good but IPS logs were filling up with warnings on
"PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt"
on port 53 from the UTM to machines on Internal (ie DNS).
My UTM serves DNS to Internal so "dropping" the packets isn't a good idea as websites wont resolve :)
I don't use a "TMG Firewall", so just disabled the rule (Snort 19187) and all is good.
This thread was automatically locked due to age.