This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS not dropping traffic despite custom "drop" rule ID (id="2101")

I have a lot of IPS alerts lately originating from and going to my DNS server (192.168.1.X). I have created a custom rule to block, alert the attacks for the ID but the IPS is still only warning of the intrusion.

My DNS server is not listening from the internet (no DNAT rule is setup in the firewall to forward port 53 to the DNS server)

2023:04:02-11:25:03 XX snort[4955]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt" group="241" srcip="91.189.91.139" dstip="192.168.1.X" proto="17" srcport="53" dstport="64024" sid="19187" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

2023:04:01-00:17:16 mysophosutm snort[11680]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" 
action="drop" reason="INDICATOR-COMPROMISE Suspicious .top dns query" group="241" srcip="192.168.1.X" dstip="192.5.5.241" proto="17"
srcport="53376" dstport="53" sid="43687" class="Misc activity" priority="3" generator="1" msgid="0"

Here, is the screenshot of the alerts with the rule ID in the IPS manual rule modification. These alerts began a few days ago, and I enabled "add extra warnings" for the DNS server setting in the IPS and now these alerts have come up.



This thread was automatically locked due to age.
Parents
  • Do you have a SFOS firewall within your network? 

    __________________________________________________________________________________________________________________

  • I do have SFOS firewall in a a dual boot setup that I boot into occasionally and keep it updated and ready to use as a sort of failover in case the UTM disk dies... then I can boot from the SFOS drive......but right now, the UTM is the one in use.

    About my setup. I am using the PiHole DNS with unbound that I keep it fully updated. In a case where there is malware somehow, I scan with ClamAV. I do not think this is maware though I could be wrong. On the Ubuntu DNS server I have deployed the decrypt and scan TLS/SSL certificate.

    I have had these "suspicious .top domain queries" for a while but they were blocked so I was not too concerned, thinking they were false positives.

    I have not included my DNS server in the Performance Tuning section of the IPS. Should I have tried that as well?

Reply
  • I do have SFOS firewall in a a dual boot setup that I boot into occasionally and keep it updated and ready to use as a sort of failover in case the UTM disk dies... then I can boot from the SFOS drive......but right now, the UTM is the one in use.

    About my setup. I am using the PiHole DNS with unbound that I keep it fully updated. In a case where there is malware somehow, I scan with ClamAV. I do not think this is maware though I could be wrong. On the Ubuntu DNS server I have deployed the decrypt and scan TLS/SSL certificate.

    I have had these "suspicious .top domain queries" for a while but they were blocked so I was not too concerned, thinking they were false positives.

    I have not included my DNS server in the Performance Tuning section of the IPS. Should I have tried that as well?

Children
No Data