Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 3159 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS not dropping traffic despite custom "drop" rule ID (id="2101")

alan weir

I have a lot of IPS alerts lately originating from and going to my DNS server (192.168.1.X). I have created a custom rule to block, alert the attacks for the ID but the IPS is still only warning of the intrusion.

My DNS server is not listening from the internet (no DNAT rule is setup in the firewall to forward port 53 to the DNS server)

2023:04:02-11:25:03 XX snort[4955]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt" group="241" srcip="91.189.91.139" dstip="192.168.1.X" proto="17" srcport="53" dstport="64024" sid="19187" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

2023:04:01-00:17:16 mysophosutm snort[11680]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" 
action="drop" reason="INDICATOR-COMPROMISE Suspicious .top dns query" group="241" srcip="192.168.1.X" dstip="192.5.5.241" proto="17" 
srcport="53376" dstport="53" sid="43687" class="Misc activity" priority="3" generator="1" msgid="0"

Here, is the screenshot of the alerts with the rule ID in the IPS manual rule modification. These alerts began a few days ago, and I enabled "add extra warnings" for the DNS server setting in the IPS and now these alerts have come up.



This thread was automatically locked due to age.
Parents
  • 0

    I'm a little confused, Alan - I thought all Snort IDs were 5 digits.

    The first IPS log line is a response from a name server, ns3.canonical.com.

    The second looks like a request for an IP for a *.top FQDN from one of the root name servers.

    But, I think you know all of that - maybe time for a second cup of coffee before starting work in the morning? Wink

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I see....the snort rule is sid="43687".

    I thought the ID was the snort rule. The logs don't say what Sort rule was detected but after I searched the database for it. So you learn something new every day.

    snort.org/.../1-43687

Reply Children
No Data
Unfiltered HTML