Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 59358 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS: INDICATOR-COMPROMISE Suspicious .pw dns query

rheptor
Hi,

For a couple of weeks i'm getting this message from the IPS module.

Message........: INDICATOR-COMPROMISE Suspicious .pw dns query
Details........: http://www.snort.org/search/sid/28039?r=1
Time...........: 2014-08-16 07:29:22
Packet dropped.: yes
Priority.......: high
Classification.: A Network Trojan was Detected
IP protocol....: 17 (UDP)

Source IP address: 192.168.*.30 
Source port: 2599 (meridiandata)
Destination IP address: 192.168.*.1 (home)
Destination port: 53 (domain)


These notifications come in batches of 10 at a time.

Source IP (and thus device) is and Android phone and a Macbook Pro.
Source port is variable for each message.

Is this a false positive, or a real problem. Can't find anything on this matter on the web, even the snort.org URL gives me a 404 error.

Should I disable / ignore these notifications?


This thread was automatically locked due to age.
Parents
  • 0
    If it's not breaking anything, leave the rule on.

    If the alerts are annoying, you can keep the rule on, but disable the alerts, under 'Rule Modification' on the last tab of the IPS settings; use the SID from the logs (28039 in this case).

    Barry
Reply
  • 0
    If it's not breaking anything, leave the rule on.

    If the alerts are annoying, you can keep the rule on, but disable the alerts, under 'Rule Modification' on the last tab of the IPS settings; use the SID from the logs (28039 in this case).

    Barry
Children
  • 0 in reply to BarryG

    I'm getting a similar issue on my Web Server interface.

     

    Intrusion Prevention Alert

    An intrusion has been detected. The packet has been dropped automatically.
    You can toggle this rule between "drop" and "alert only" in WebAdmin.

    Details about the intrusion alert:

    Message........: INDICATOR-COMPROMISE Suspicious .tk dns query
    Details........: https://www.snort.org/search?query=39867
    Time...........: 2016-10-11 18:21:02
    Packet dropped.: yes
    Priority.......: high
    Classification.: A Network Trojan was Detected
    IP protocol....: 17 (UDP)

    Source IP address: 172.xx.xx.xx (xxxxx)
    Source port: 41016
    Destination IP address: 208.67.222.222 (resolver1.opendns.com)
    Destination port: 53 (domain)

    --
    System Uptime      : 9 days 18 hours 6 minutes
    System Load        : 0.06
    System Version     : Sophos UTM 9.407-3

    Please refer to the manual for detailed instructions.
     
     
    I am guessing it is a Webscript or something trying to get to the .tk domain???
     
    I take it the IPS log should give some more detail?

    Regards Simon

    UTM - 9.411-3 | Intel(R) Core(TM) i5-3550 CPU @ 3.30GHz
    8GB Memory | Samsung EVO 850 120GB SDD | Intel GB Ethernet x3

  • 0 in reply to SimonSlater

    Should the device at 172.xx.xx.xx be requesting name resolution for an FQDN with a .tk domain?  If that's not clear, you will want to scan the device for malware.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML