Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 11104 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Prevention System

Paolo Lat

Hi,

 

I'm pretty new on the forum so please bear with me. I'm using SG430 

 

I noticed on the Intrusion Prevention System Log that I started getting this logs: 

 

firewall snort[27237]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .tk dns query" group="241" srcip="172.16.135.162" dstip="8.8.4.4" proto="17" srcport="61792" dstport="53" sid="39867" class="Misc activity" priority="3" generator="1" msgid="0"

 

The source IP is internal and destination is Google. Not only that, I'm also getting the another entry from the same source IP but the destination IP is internal. 



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Paolo, and welcome to the UTM Community!

    The tk top-level-domain is known to be a home for unsavory sites, so, using Snort, the UTM's Advanced Threat Protection blocks DNS requests for all FQDNs in that TLD.

    Your final sentence is a possible indication of a misconfiguration, so, to echo Alex' suggestion, show the text of that email and tell us how your configuration compares to DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hi, Paolo, and welcome to the UTM Community!

    The tk top-level-domain is known to be a home for unsavory sites, so, using Snort, the UTM's Advanced Threat Protection blocks DNS requests for all FQDNs in that TLD.

    Your final sentence is a possible indication of a misconfiguration, so, to echo Alex' suggestion, show the text of that email and tell us how your configuration compares to DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    We have two separate networks using vlans, Corporate and Student. We have two internal DNS servers for Corporate and they both have forward lookup zones. The DNS for our student is being handle through the firewall ( I think ) same goes for the DHCP for student. 

    following on the DNS best practice, on the third thing to do I'm getting confuse as to what to put in. Do I have to put in the actual IP on the "Domain" text box? or the reverse lookup format with the DNS server IP ? or just the Domain name? 

    Now if I'm going to put the reverse lookup format, do I have to do it twice? since we have two internal DNS servers?

     

     

  • 0 in reply to Paolo Lat

    Just use the same Availability Group as you have for the Request Route for the domain.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML