Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 12371 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Prevention Alert (Packet dropped)

ICT Department1

Hi guys, I keep getting the following alert and just wondered if it was anything to worry about / look further into:

 

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically.

You can toggle this rule between "drop" and "alert only" in WebAdmin.

 Details about the intrusion alert:

 Message........: INDICATOR-COMPROMISE Suspicious .trade dns query

Details........: https://www.snort.org/search?query=44076

Time...........: 2017-10-19 14:29:01

Packet dropped.: yes

Priority.......: low

Classification.: Misc activity

IP protocol....: 17 (UDP)

 

Source IP address: **.*.*.** (ad.domain.zone) Source port: 55525 Destination IP address: 8.8.8.8 (google-public-dns-a.google.com) Destination port: 53 (domain)

       

Sophos UTM @

 

--

System Uptime     : 35 days 10 hours 25 minutes

System Load       : 0.35

System Version     : Sophos UTM 9.503-4

 

Please refer to the manual for detailed instructions.



This thread was automatically locked due to age.
Parents
  • +1

    There are quite a few threads about this sort of IPS message. Basically a PC on your network was surfing and something required a DNS look up to a .trade domain URL. I suspect the source IP in the message is whatever server your PC's are using for DNS. So your DNS server used it's forwarder(s) to try resolve the .trade domain for your internal PC it was blocked.

    If you want to see which internal PC was actually making the DNS request to your internal DNS server for next time, setup DNS debugging like I have using the image below

  • 0 in reply to rsenio

    thanks, I have set the logging up but not sure what I am looking for.  I can see the error entries in the log (below):

    10/11/2017 09:29:56 0F9C PACKET  0000008AD6AFA270 UDP Rcv 8.8.8.8         1baf R Q [8281   DR SERVFAIL] A      (3)186(12)red-83-48-97(8)staticip(8)rima-tde(3)net(0)
    10/11/2017 09:29:56 0F9C PACKET  0000008AD79940F0 UDP Rcv 8.8.4.4         1baf R Q [8281   DR SERVFAIL] A      (3)186(12)red-83-48-97(8)staticip(8)rima-tde(3)net(0)

    10/11/2017 09:29:56 0F9C PACKET  0000008AD892A140 UDP Rcv 209.244.0.3     1baf R Q [8281   DR SERVFAIL] A      (3)186(12)red-83-48-97(8)staticip(8)rima-tde(3)net(0)

    I just cannot see the internal ip making the request.

    Any suggestions?

    thanks in advance

    lee

  • 0 in reply to ICT Department1

    i found another entry in the IPS log:

    2017:11:13-11:25:22 gw1 snort[23976]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .top dns query" group="241" srcip="10.1.1.27" dstip="209.244.0.3" proto="17" srcport="53979" dstport="53" sid="43687" class="Misc activity" priority="3" generator="1" msgid="0"

Reply
  • 0 in reply to ICT Department1

    i found another entry in the IPS log:

    2017:11:13-11:25:22 gw1 snort[23976]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .top dns query" group="241" srcip="10.1.1.27" dstip="209.244.0.3" proto="17" srcport="53979" dstport="53" sid="43687" class="Misc activity" priority="3" generator="1" msgid="0"

Children
No Data
Unfiltered HTML