Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 2726 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Prevention System (IPS) Log shows local DNS hosts as Attacker and forwarders on the DNS hosts as Attack Targets

Stephan Stoke

Hi Everybody,

Intrusion Prevention System (IPS) Statistics Log shows local DNS hosts as Attacker and forwarders on the DNS hotst as Attack Targets?
The following attack rule is being applied INDICATOR-COMPROMISE Suspicious .win dns query.

Is there a way to solve this "problem"?

Regards, Stephan



This thread was automatically locked due to age.
Parents
  • 0

    Hoi Stephan,

    The DNS log in your local name server should show which client is requesting resolution for a .win FQDN.  This is a sign that that client has a malware infection or is visiting an infected site.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hoi Stephan,

    The DNS log in your local name server should show which client is requesting resolution for a .win FQDN.  This is a sign that that client has a malware infection or is visiting an infected site.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML