Intrusion Prevention Alert (Packet dropped)

Question

Hi guys, I keep getting the following alert and just wondered if it was anything to worry about / look further into: 
 
 Intrusion Prevention Alert 
 An intrusion has been detected. The packet has been dropped automatically. 
 You can toggle this rule between "drop" and "alert only" in WebAdmin. 
 Details about the intrusion alert: 
 Message........: INDICATOR-COMPROMISE Suspicious .trade dns query 
 Details........: https://www.snort.org/search?query=44076 
 Time...........: 2017-10-19 14:29:01 
 Packet dropped.: yes 
 Priority.......: low 
 Classification.: Misc activity 
 IP protocol....: 17 (UDP) 
 
 Source IP address: **.*.*.** (ad.domain.zone) Source port: 55525 Destination IP address: 8.8.8.8 (google-public-dns-a.google.com) Destination port: 53 (domain) 
 
 Sophos UTM @ 
 
 -- 
 System Uptime : 35 days 10 hours 25 minutes 
 System Load : 0.35 
 System Version : Sophos UTM 9.503-4 
 
 Please refer to the manual for detailed instructions.

rsenio · Accepted Answer

There are quite a few threads about this sort of IPS message. Basically a PC on your network was surfing and something required a DNS look up to a .trade domain URL. I suspect the source IP in the message is whatever server your PC's are using for DNS. So your DNS server used it's forwarder(s) to try resolve the .trade domain for your internal PC it was blocked. 
 If you want to see which internal PC was actually making the DNS request to your internal DNS server for next time, setup DNS debugging like I have using the image below