Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 940 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Excessive IPS detections

Donde D

Hi,

 

I was wondering if anyone else has experienced a ramp up in the last few days on UTM9 appliances with the IPS module.

As of a few days now, my IPS attack detections have gone up ten-fold.

 

I spotted a particular signature triggering these detections; 

44077 INDICATOR-COMPROMISE Suspicious .win dns query

 

After investigating the sources causing the triggers to go off (DC/DNS servers), all seems normal and nothing was changed on them to warrant such activity.

 

Were there some changes made to the IPS signatures recently that could be causing this?

 

Thank you! 



This thread was automatically locked due to age.
Parents
  • 0

    Salut Donde,

    This appears to be your internal DNS trying to get name resolution for ???.???.win, a top-level-domain known to be used frequently by bot-masters.  The DNS log in your DC should be able to identify the infected device.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Salut Donde,

    This appears to be your internal DNS trying to get name resolution for ???.???.win, a top-level-domain known to be used frequently by bot-masters.  The DNS log in your DC should be able to identify the infected device.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Many thanks for that pointer Bob.

    I have turned on debugging for UDP requests and will wait and see.

     

    Was quiet today - which leads to me to think it might be indeed an infected device somewhere and not a signature false-positive.

     

    Will post my findings.

Unfiltered HTML