IPS stopped working

Hi ,

That's the only thing what i have in my IPS log:

(what is the newest pattern file ? i got 203539. i supect, that the firewall also stopped the autom. downloading

where can i download those files manual?)

2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_SIP Version 1.1 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_POP Version 1.0 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_GTP Version 1.1 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
2021:09:14-19:26:22 matrix snort[17913]: Commencing packet processing (pid=17913)
2021:09:14-19:26:22 matrix snort[17913]: Decoding Raw IP4

on the other side i get bombarded with this:

14-Sep-2021 19:04:35.780 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:37.348 client @0x7fd05c015a78 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:37.500 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:39.788 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:40.364 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:40.628 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:41.860 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:44.396 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:44.852 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:45.204 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:45.304 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:45.444 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:48.103 client @0x7fd050005088 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:49.523 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:49.639 client @0x7fd050005088 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:49.839 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:51.667 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied

so what's wrong with the IPS, that should be block via IPS !



none
[bearbeitet von: WolfgangS um 6:41 PM (GMT -7) am 14 Sep 2021]
Parents Reply Children
  • Thanks.  Been reading up on this domain a bit and this seems to be one that always does this with DNSSEC enabled or you are hosting your own DNS. pizzaseo.com RRSIG IN denied - vServer / Server / KVM-Server - netcup Community

    It appears people are just literally turning off their name servers, or getting the ISP to block all that traffic for them from this domain.  I can't see why this is such an issue with this domain for so long though, that's insane how many posts there are about this one.

    UTM - 9.707 | Intel i3-4150 4th Gen Processor
    16GB Memory | 500GB SATA HDD | GB Ethernet x5

  • You know, Amodin, I'm thinking this is a DDoS and that pizzaseo.com is another victim of nefarious actors that have malware running in lots of places.

    I'm curious, Wolfgang, are those packets all on port 80?  If so, you might replace your DNAT with Webserver Protection.  Does that give you a better result?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi BAlfson,

    not only 80... they use all ports they can get:

    They run an attack with a ip xxx and port 80 after they got a new ip yyy and port 15666 and so on.

    so i guess Webserver Protection will not help , or am i wrong ?

  • You're right, Wolfgang, Webserver Protection wouldn't help.

    From where are the lines in the second set above?  I don't recognize them as coming from the UTM.

    If they're from another device, show us the Edit of the DNAT that get's them there.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi BAlfson,

    the second set is from the bind9 log, not on the UTM.