IPS stopped working

Hi ,

That's the only thing what i have in my IPS log:

(what is the newest pattern file ? i got 203539. i supect, that the firewall also stopped the autom. downloading

where can i download those files manual?)

2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_SIP Version 1.1 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_POP Version 1.0 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_GTP Version 1.1 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
2021:09:14-19:26:22 matrix snort[17913]: Commencing packet processing (pid=17913)
2021:09:14-19:26:22 matrix snort[17913]: Decoding Raw IP4

on the other side i get bombarded with this:

14-Sep-2021 19:04:35.780 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:37.348 client @0x7fd05c015a78 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:37.500 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:39.788 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:40.364 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:40.628 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:41.860 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:44.396 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:44.852 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:45.204 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:45.304 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:45.444 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:48.103 client @0x7fd050005088 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:49.523 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:49.639 client @0x7fd050005088 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:49.839 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:51.667 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied

so what's wrong with the IPS, that should be block via IPS !



none
[bearbeitet von: WolfgangS um 6:41 PM (GMT -7) am 14 Sep 2021]
Parents Reply
  • You know, Amodin, I'm thinking this is a DDoS and that pizzaseo.com is another victim of nefarious actors that have malware running in lots of places.

    I'm curious, Wolfgang, are those packets all on port 80?  If so, you might replace your DNAT with Webserver Protection.  Does that give you a better result?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children