This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS not dropping traffic despite custom "drop" rule ID (id="2101")

I have a lot of IPS alerts lately originating from and going to my DNS server (192.168.1.X). I have created a custom rule to block, alert the attacks for the ID but the IPS is still only warning of the intrusion.

My DNS server is not listening from the internet (no DNAT rule is setup in the firewall to forward port 53 to the DNS server)

2023:04:02-11:25:03 XX snort[4955]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt" group="241" srcip="91.189.91.139" dstip="192.168.1.X" proto="17" srcport="53" dstport="64024" sid="19187" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

2023:04:01-00:17:16 mysophosutm snort[11680]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" 
action="drop" reason="INDICATOR-COMPROMISE Suspicious .top dns query" group="241" srcip="192.168.1.X" dstip="192.5.5.241" proto="17"
srcport="53376" dstport="53" sid="43687" class="Misc activity" priority="3" generator="1" msgid="0"

Here, is the screenshot of the alerts with the rule ID in the IPS manual rule modification. These alerts began a few days ago, and I enabled "add extra warnings" for the DNS server setting in the IPS and now these alerts have come up.



This thread was automatically locked due to age.
Parents
  • Do you have a SFOS firewall within your network? 

    __________________________________________________________________________________________________________________

  • That IPS alert it seems to target the Microsoft Forefront Threat Management Gateway/Firewall Client

    So I do not think this is anything to worry about.

    The vulnerability could allow remote code execution if an attacker leveraged a client computer to make specific requests on a system where the TMG firewall client is used.

Reply
  • That IPS alert it seems to target the Microsoft Forefront Threat Management Gateway/Firewall Client

    So I do not think this is anything to worry about.

    The vulnerability could allow remote code execution if an attacker leveraged a client computer to make specific requests on a system where the TMG firewall client is used.

Children
No Data