Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 5296 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to suppress nuisance IPS alerts?

SEFIT

I have IPS alerting enabled on our UTM appliance and frequently get bombarded with intrusion alerts related to "INDICATOR-COMPROMISE Suspicious .win dns query" (or similar for .pl, .tk, etc. domains), and when looking into these events I've found that they are either harmless noise or linked to dodgy links/content on websites. I've been looking for a way to suppress these alerts without having to resort to turning off alerting entirely and found the option for "Manual Rule Modification", under Network Protection>Intrusion Prevention>Advanced. In this instance the rule ID for the nuisance alert is 2101, so I've modified the rule to still drop but no longer notify:

Is this the correct approach for suppressing select alerts or should I rather be doing this in some other fashion?

Any guidance will be greatly appreciated :-)



This thread was automatically locked due to age.
  • 0

    A quick update on this:

    It doesn't seem as if the rule modification is having the desired effect as I am still receiving alerts for this event.

    This is a sample of the event from the IPS log:

    2018:04:05-09:55:10 [redacted] snort[17993]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .win dns query" group="241" srcip="[redacted]" dstip="8.8.4.4" proto="17" srcport="51629" dstport="53" sid="44077" class="Misc activity" priority="3" generator="1" msgid="0"

    I'm assuming that the Rule ID for the above is "2101", or am I missing something?

  • 0

    For IPS, you should be aware of this useful link: lists.astaro.com, then choose ASGV9-IPS-rules.html

    It provides information about all of the rules supported by IPS, although it may be outdated.  It says that the Server / Misc /DNS group has 62 entries, but my UTM says it has 34 attacks, 53 warnings = 87 total.   Each entry shows the rule number and provides a link for more information.

    For this particular problem, the list confirms that your rule is in the Server / Misc / DNS group.

    So for your question, the options are:

    • Uncheck notification for the Server / Misc / DNS group within Network Protection... Intrustion Protection System... Attack Patterns (tab)
    • Uncheck email on one or more of the options within Management... Notfications... Notificatons (tab)... Intrusion Protection (section)

    As long as IPS is blocking the traffic, I don't worry too much about IPS events, so APT alert is the only entry in that group that I send to email.   The remained are evaluated using log files.

  • 0 in reply to DouglasFoster

    Rather than that, Doug, I would change the Snort ID (SID) 44077 (NOT 2201!) to drop silently.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML