For the past several days, been getting alot more IPS alerts than usual due to some change in the pattern file. I'm just trying to work through them one at a time.
The first is DNS ID254. DNS Spoof Query response with TTL of 1 minute and no authority. Doing a Local Log File Query against the intrusion prevention system tells me that this is being set off by our ISPs DNS servers which I have set as forwarders within our internal DNS. I don't want to just turn off the rule as it's there for our protection, but it's rather annoying getting pelted with the alert mails and watching the rule counter go up a few hundred times a day. Is there a way to tell the IPS to ignore those servers IP Addresses? Maybe creating a host definition for them and then add them as DNS servers under performance tuning?
The second is under INfo, ID2925. Web Bug 1x1 gif attempt. Again a lookup in the IPS log gives me a list of the external source servers. There's about a dozen source servers involved. A quick whois on them tells me that they are valid web servers our staff connects to many times a day. Either all of them changed the way their servers work and installed web bugs or more likely the rule has changed. My thinking is to turn this rule off for now. Any thoughts?
Finally, the really tricky one that I'm having a very hard time diagnosing. SMTP ID3655 SMTP SEND overflow attempt. Appears to be triggered by some sort of malformed message. The problem here is figuring out what's going on and I'm hoping somebody here can give me some steps to follow to get some info. Checking the IPS log only tells me that this error is being picked up with a source of the Astaro box and a destination of our internal mail server. Not too helpful. I need to find the original source of the emails and not certain where I can correlate the IPS alert ID # and the SMTP traffic to get this info.
Thanks,
Scott Klassen
This thread was automatically locked due to age.
