This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS not dropping traffic despite custom "drop" rule ID (id="2101")

I have a lot of IPS alerts lately originating from and going to my DNS server (192.168.1.X). I have created a custom rule to block, alert the attacks for the ID but the IPS is still only warning of the intrusion.

My DNS server is not listening from the internet (no DNAT rule is setup in the firewall to forward port 53 to the DNS server)

2023:04:02-11:25:03 XX snort[4955]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt" group="241" srcip="91.189.91.139" dstip="192.168.1.X" proto="17" srcport="53" dstport="64024" sid="19187" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

2023:04:01-00:17:16 mysophosutm snort[11680]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" 
action="drop" reason="INDICATOR-COMPROMISE Suspicious .top dns query" group="241" srcip="192.168.1.X" dstip="192.5.5.241" proto="17"
srcport="53376" dstport="53" sid="43687" class="Misc activity" priority="3" generator="1" msgid="0"

Here, is the screenshot of the alerts with the rule ID in the IPS manual rule modification. These alerts began a few days ago, and I enabled "add extra warnings" for the DNS server setting in the IPS and now these alerts have come up.



This thread was automatically locked due to age.
Parents
  • I'm a little confused, Alan - I thought all Snort IDs were 5 digits.

    The first IPS log line is a response from a name server, ns3.canonical.com.

    The second looks like a request for an IP for a *.top FQDN from one of the root name servers.

    But, I think you know all of that - maybe time for a second cup of coffee before starting work in the morning? Wink

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I'm a little confused, Alan - I thought all Snort IDs were 5 digits.

    The first IPS log line is a response from a name server, ns3.canonical.com.

    The second looks like a request for an IP for a *.top FQDN from one of the root name servers.

    But, I think you know all of that - maybe time for a second cup of coffee before starting work in the morning? Wink

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children