I have a lot of IPS alerts lately originating from and going to my DNS server (192.168.1.X). I have created a custom rule to block, alert the attacks for the ID but the IPS is still only warning of the intrusion.
My DNS server is not listening from the internet (no DNAT rule is setup in the firewall to forward port 53 to the DNS server)
2023:04:02-11:25:03 XX snort[4955]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt" group="241" srcip="91.189.91.139" dstip="192.168.1.X" proto="17" srcport="53" dstport="64024" sid="19187" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2023:04:01-00:17:16 mysophosutm snort[11680]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert"
action="drop" reason="INDICATOR-COMPROMISE Suspicious .top dns query" group="241" srcip="192.168.1.X" dstip="192.5.5.241" proto="17"
srcport="53376" dstport="53" sid="43687" class="Misc activity" priority="3" generator="1" msgid="0"
Here, is the screenshot of the alerts with the rule ID in the IPS manual rule modification. These alerts began a few days ago, and I enabled "add extra warnings" for the DNS server setting in the IPS and now these alerts have come up.
This thread was automatically locked due to age.