Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 12354 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Prevention Alert (Packet dropped)

ICT Department1

Hi guys, I keep getting the following alert and just wondered if it was anything to worry about / look further into:

 

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically.

You can toggle this rule between "drop" and "alert only" in WebAdmin.

 Details about the intrusion alert:

 Message........: INDICATOR-COMPROMISE Suspicious .trade dns query

Details........: https://www.snort.org/search?query=44076

Time...........: 2017-10-19 14:29:01

Packet dropped.: yes

Priority.......: low

Classification.: Misc activity

IP protocol....: 17 (UDP)

 

Source IP address: **.*.*.** (ad.domain.zone) Source port: 55525 Destination IP address: 8.8.8.8 (google-public-dns-a.google.com) Destination port: 53 (domain)

       

Sophos UTM @

 

--

System Uptime     : 35 days 10 hours 25 minutes

System Load       : 0.35

System Version     : Sophos UTM 9.503-4

 

Please refer to the manual for detailed instructions.



This thread was automatically locked due to age.
  • +1

    There are quite a few threads about this sort of IPS message. Basically a PC on your network was surfing and something required a DNS look up to a .trade domain URL. I suspect the source IP in the message is whatever server your PC's are using for DNS. So your DNS server used it's forwarder(s) to try resolve the .trade domain for your internal PC it was blocked.

    If you want to see which internal PC was actually making the DNS request to your internal DNS server for next time, setup DNS debugging like I have using the image below

  • 0 in reply to rsenio

    thanks, I have set the logging up but not sure what I am looking for.  I can see the error entries in the log (below):

    10/11/2017 09:29:56 0F9C PACKET  0000008AD6AFA270 UDP Rcv 8.8.8.8         1baf R Q [8281   DR SERVFAIL] A      (3)186(12)red-83-48-97(8)staticip(8)rima-tde(3)net(0)
    10/11/2017 09:29:56 0F9C PACKET  0000008AD79940F0 UDP Rcv 8.8.4.4         1baf R Q [8281   DR SERVFAIL] A      (3)186(12)red-83-48-97(8)staticip(8)rima-tde(3)net(0)

    10/11/2017 09:29:56 0F9C PACKET  0000008AD892A140 UDP Rcv 209.244.0.3     1baf R Q [8281   DR SERVFAIL] A      (3)186(12)red-83-48-97(8)staticip(8)rima-tde(3)net(0)

    I just cannot see the internal ip making the request.

    Any suggestions?

    thanks in advance

    lee

  • 0 in reply to ICT Department1

    i found another entry in the IPS log:

    2017:11:13-11:25:22 gw1 snort[23976]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .top dns query" group="241" srcip="10.1.1.27" dstip="209.244.0.3" proto="17" srcport="53979" dstport="53" sid="43687" class="Misc activity" priority="3" generator="1" msgid="0"

  • 0

    Is 10.1.1.27 the "**.*.*.** (ad.domain.zone)" in your original post?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    i may have gotten to the bottom it ?!? the UTMs DNS forwarders are set as the internal DNS servers and it seems that an email has hit the utm and it has done its DNS checks on it using the internal DNS servers and this is where it has been refused.

    I think it may be a good idea to not have the internal dns servers in the UTMs DNS forwarders section and swap for googles.

     

    Does this makes sense?

    Lee

  • 0 in reply to ICT Department1

    Absolutely, Lee - see DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML