This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Prevention System

Hi,

I'm pretty new on the forum so please bear with me. I'm using SG430

I noticed on the Intrusion Prevention System Log that I started getting this logs:

firewall snort[27237]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .tk dns query" group="241" srcip="172.16.135.162" dstip="8.8.4.4" proto="17" srcport="61792" dstport="53" sid="39867" class="Misc activity" priority="3" generator="1" msgid="0"

The source IP is internal and destination is Google. Not only that, I'm also getting the another entry from the same source IP but the destination IP is internal.

This thread was automatically locked due to age.

Parents

0 Alexander Busch over 7 years ago

That means that ip 172.16.135.162 is doing DNS query against Google DNS. And these domain names are ending with .tk which means these are often malicious services.

You have to do further analysis to know is this caused by a real thread.

To give more advice you have to tell us a little more about your DNS ( network) structure.

Best

Alex

-
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Alexander Busch over 7 years ago

That means that ip 172.16.135.162 is doing DNS query against Google DNS. And these domain names are ending with .tk which means these are often malicious services.

You have to do further analysis to know is this caused by a real thread.

To give more advice you have to tell us a little more about your DNS ( network) structure.

Best

Alex

-
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data