This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS stopped working

Hi ,

That's the only thing what i have in my IPS log:

(what is the newest pattern file ? i got 203539. i supect, that the firewall also stopped the autom. downloading

where can i download those files manual?)

2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_SIP Version 1.1 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_POP Version 1.0 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_GTP Version 1.1 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
2021:09:14-19:26:22 matrix snort[17913]: Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
2021:09:14-19:26:22 matrix snort[17913]: Commencing packet processing (pid=17913)
2021:09:14-19:26:22 matrix snort[17913]: Decoding Raw IP4

on the other side i get bombarded with this:

14-Sep-2021 19:04:35.780 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:37.348 client @0x7fd05c015a78 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:37.500 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:39.788 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:40.364 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:40.628 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:41.860 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:44.396 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:44.852 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:45.204 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:45.304 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:45.444 client @0x7fd050000cc8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:48.103 client @0x7fd050005088 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:49.523 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:49.639 client @0x7fd050005088 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:49.839 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied
14-Sep-2021 19:04:51.667 client @0x7fd05c0104c8 81.108.32.209#80 (pizzaseo.com): query (cache) 'pizzaseo.com/RRSIG/IN' denied

so what's wrong with the IPS, that should be block via IPS !



This thread was automatically locked due to age.
Parents
  • becaus i can't answer to your post directly @amodin, i'll post here...

    yes i am getting DDOS'ed , but the IPS should prevent this, put the IPS does nothing.

  • What does your IPS set up look like?  Can you take screenshots of your Global and Anti-DoS/Flood tabs and drag them into the text box here for us?

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Thanks.  Been reading up on this domain a bit and this seems to be one that always does this with DNSSEC enabled or you are hosting your own DNS. pizzaseo.com RRSIG IN denied - vServer / Server / KVM-Server - netcup Community

    It appears people are just literally turning off their name servers, or getting the ISP to block all that traffic for them from this domain.  I can't see why this is such an issue with this domain for so long though, that's insane how many posts there are about this one.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • You know, Amodin, I'm thinking this is a DDoS and that pizzaseo.com is another victim of nefarious actors that have malware running in lots of places.

    I'm curious, Wolfgang, are those packets all on port 80?  If so, you might replace your DNAT with Webserver Protection.  Does that give you a better result?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi BAlfson,

    not only 80... they use all ports they can get:

    They run an attack with a ip xxx and port 80 after they got a new ip yyy and port 15666 and so on.

    so i guess Webserver Protection will not help , or am i wrong ?

  • You're right, Wolfgang, Webserver Protection wouldn't help.

    From where are the lines in the second set above?  I don't recognize them as coming from the UTM.

    If they're from another device, show us the Edit of the DNAT that get's them there.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • You're right, Wolfgang, Webserver Protection wouldn't help.

    From where are the lines in the second set above?  I don't recognize them as coming from the UTM.

    If they're from another device, show us the Edit of the DNAT that get's them there.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children