Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 5334 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to suppress nuisance IPS alerts?

SEFIT

I have IPS alerting enabled on our UTM appliance and frequently get bombarded with intrusion alerts related to "INDICATOR-COMPROMISE Suspicious .win dns query" (or similar for .pl, .tk, etc. domains), and when looking into these events I've found that they are either harmless noise or linked to dodgy links/content on websites. I've been looking for a way to suppress these alerts without having to resort to turning off alerting entirely and found the option for "Manual Rule Modification", under Network Protection>Intrusion Prevention>Advanced. In this instance the rule ID for the nuisance alert is 2101, so I've modified the rule to still drop but no longer notify:

Is this the correct approach for suppressing select alerts or should I rather be doing this in some other fashion?

Any guidance will be greatly appreciated :-)



This thread was automatically locked due to age.
Parents
  • 0

    A quick update on this:

    It doesn't seem as if the rule modification is having the desired effect as I am still receiving alerts for this event.

    This is a sample of the event from the IPS log:

    2018:04:05-09:55:10 [redacted] snort[17993]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .win dns query" group="241" srcip="[redacted]" dstip="8.8.4.4" proto="17" srcport="51629" dstport="53" sid="44077" class="Misc activity" priority="3" generator="1" msgid="0"

    I'm assuming that the Rule ID for the above is "2101", or am I missing something?

Reply
  • 0

    A quick update on this:

    It doesn't seem as if the rule modification is having the desired effect as I am still receiving alerts for this event.

    This is a sample of the event from the IPS log:

    2018:04:05-09:55:10 [redacted] snort[17993]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .win dns query" group="241" srcip="[redacted]" dstip="8.8.4.4" proto="17" srcport="51629" dstport="53" sid="44077" class="Misc activity" priority="3" generator="1" msgid="0"

    I'm assuming that the Rule ID for the above is "2101", or am I missing something?

Children
No Data
Unfiltered HTML