Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 59352 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS: INDICATOR-COMPROMISE Suspicious .pw dns query

rheptor
Hi,

For a couple of weeks i'm getting this message from the IPS module.

Message........: INDICATOR-COMPROMISE Suspicious .pw dns query
Details........: http://www.snort.org/search/sid/28039?r=1
Time...........: 2014-08-16 07:29:22
Packet dropped.: yes
Priority.......: high
Classification.: A Network Trojan was Detected
IP protocol....: 17 (UDP)

Source IP address: 192.168.*.30 
Source port: 2599 (meridiandata)
Destination IP address: 192.168.*.1 (home)
Destination port: 53 (domain)


These notifications come in batches of 10 at a time.

Source IP (and thus device) is and Android phone and a Macbook Pro.
Source port is variable for each message.

Is this a false positive, or a real problem. Can't find anything on this matter on the web, even the snort.org URL gives me a 404 error.

Should I disable / ignore these notifications?


This thread was automatically locked due to age.
  • 0
    The .pw domain is the origin of a lot of spam; my guess (I haven't read the actual rule) is that the IPS is detecting outbound queries for something in the .pw domain.  This could indicate an infected host trying to send spam out (mail zombie), or could just be your anti-spam engine querying something with that domain in it.  If it happens in regular intervals, etc. you may want to check that machine (the originator of the DNS lookups -- the DNS proxy could "hiding" the true source -- one my requests, by the way, is that Sophos give us a way to see what host is using the DNS proxy for what queries) ... in your case, check .30 out.  If .30 is a DNS server, then check the logs to see which computer is making the query.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    The .pw domain is the origin of a lot of spam; my guess (I haven't read the actual rule) is that the IPS is detecting outbound queries for something in the .pw domain.



    BINGO!


    False positive for me.


    I started getting some of these entries in my IPS log as well. After doing a little research, I found the culprit... My email server.


    I have my email server setup to check the DNS of incoming email. Each entry in the IPS log corresponds to a DNS check, you guessed it, of incoming spam from a .pw domain.


    So if anyone else comes across this thread, who has an email server, compare your email server log timestamps with the IPS log timestamps.

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • 0
    Was it spam or legitimate email?

    Barry
  • 0 in reply to BarryG
    Was it spam or legitimate email?

    Barry



    It's spam. I have never received legit email from a .pw domain but of course I'm not suggesting all mail from a .pw domain is always going to be spam.

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • 0 in reply to Jeff x
    In case it matters, I see the identical warning. In my case, the root cause is visiting a specific website. 

    My guess is that advertising or advertising images coming through that website are in the .pw domain. It does not happen with any other website that I (or anyone in my family) visits, just the one. 

    How do I know? The live logs start displaying the warnings when I visit the website, and stop when I close the browser window.
  • 0
    If it's not breaking anything, leave the rule on.

    If the alerts are annoying, you can keep the rule on, but disable the alerts, under 'Rule Modification' on the last tab of the IPS settings; use the SID from the logs (28039 in this case).

    Barry
  • 0 in reply to BarryG

    I'm getting a similar issue on my Web Server interface.

     

    Intrusion Prevention Alert

    An intrusion has been detected. The packet has been dropped automatically.
    You can toggle this rule between "drop" and "alert only" in WebAdmin.

    Details about the intrusion alert:

    Message........: INDICATOR-COMPROMISE Suspicious .tk dns query
    Details........: https://www.snort.org/search?query=39867
    Time...........: 2016-10-11 18:21:02
    Packet dropped.: yes
    Priority.......: high
    Classification.: A Network Trojan was Detected
    IP protocol....: 17 (UDP)

    Source IP address: 172.xx.xx.xx (xxxxx)
    Source port: 41016
    Destination IP address: 208.67.222.222 (resolver1.opendns.com)
    Destination port: 53 (domain)

    --
    System Uptime      : 9 days 18 hours 6 minutes
    System Load        : 0.06
    System Version     : Sophos UTM 9.407-3

    Please refer to the manual for detailed instructions.
     
     
    I am guessing it is a Webscript or something trying to get to the .tk domain???
     
    I take it the IPS log should give some more detail?

    Regards Simon

    UTM - 9.411-3 | Intel(R) Core(TM) i5-3550 CPU @ 3.30GHz
    8GB Memory | Samsung EVO 850 120GB SDD | Intel GB Ethernet x3

  • 0 in reply to SimonSlater

    Should the device at 172.xx.xx.xx be requesting name resolution for an FQDN with a .tk domain?  If that's not clear, you will want to scan the device for malware.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    This is how we track this.

    We get the error

    Message........: INDICATOR-COMPROMISE Suspicious .top dns query

    Details........: https://www.snort.org/search?query=43687

    Time...........: 2017-09-27 09:58:05

    Packet dropped.: yes

    Priority.......: low

    Classification.: Misc activity

    IP protocol....: 17 (UDP)

    .

    .

    .

     

    We login to the UTM "logs" or "archived logs" depending on the date time stamp.

    for "Intrusion Prevention"

       Logging and Reporting > View Log Files > Appropriate Tab ("Today's Log Files" or "Archived Log Files") > Intrusion Prevention System

    Go to Local DNS Server dns logs

       Windows > System32 > dns

       Search time stamp

    9/26/2017 5:38:38 PM 0920 PACKET  00000018F96D41A0 UDP Rcv 192.168.12.235      4ffc   Q [0001   D   NOERROR] A      (10)taskboards(3)top(0)

       search (3)top or in your case (3)pw  ....   to find the rogue domain

          Ours in this case was taskboards.top

          In logs (3) = . (the last dot)

    Optional to verify

      In browser URL paste domain & watch the intrusion alerts role in on your email alerts.

    Black list domain in UTM

    Search Whois and notify abuse

    Let others know about the rogue domain

    http://www.anti-abuse.org/multi-rbl-check/

    That should take care of it .... make sure you follow through to help others.

Unfiltered HTML