Hi all,
I get each day at the same time (around 12h) for a week or so an IPS altert:
-------------------------------------------------------------------------
Intrusion Prevention Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: INDICATOR-COMPROMISE Suspicious .ru dns query
Details........: Snort ::
Time...........: 2012-10-31 12:51:28
Packet dropped.: yes
Priority.......: high
Classification.: A Network Trojan was detected
IP protocol....: 17 (UDP)
Source IP address: 1.2.3.4
Source port: 56310
Destination IP address: 4.3.2.1
Destination port: 53 (domain)
-----------------------------------------------------------------------
It arrives from 3 different machines with different OS. And as well, each machine uses a different source port.
We scanned all machines twice or three times and couldn't find anything. My question is: is this a well known false positive or should we go deeper with our analysis?
This thread was automatically locked due to age.
