Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 59353 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS: INDICATOR-COMPROMISE Suspicious .pw dns query

rheptor
Hi,

For a couple of weeks i'm getting this message from the IPS module.

Message........: INDICATOR-COMPROMISE Suspicious .pw dns query
Details........: http://www.snort.org/search/sid/28039?r=1
Time...........: 2014-08-16 07:29:22
Packet dropped.: yes
Priority.......: high
Classification.: A Network Trojan was Detected
IP protocol....: 17 (UDP)

Source IP address: 192.168.*.30 
Source port: 2599 (meridiandata)
Destination IP address: 192.168.*.1 (home)
Destination port: 53 (domain)


These notifications come in batches of 10 at a time.

Source IP (and thus device) is and Android phone and a Macbook Pro.
Source port is variable for each message.

Is this a false positive, or a real problem. Can't find anything on this matter on the web, even the snort.org URL gives me a 404 error.

Should I disable / ignore these notifications?


This thread was automatically locked due to age.
Parents
  • 0

    This is how we track this.

    We get the error

    Message........: INDICATOR-COMPROMISE Suspicious .top dns query

    Details........: https://www.snort.org/search?query=43687

    Time...........: 2017-09-27 09:58:05

    Packet dropped.: yes

    Priority.......: low

    Classification.: Misc activity

    IP protocol....: 17 (UDP)

    .

    .

    .

     

    We login to the UTM "logs" or "archived logs" depending on the date time stamp.

    for "Intrusion Prevention"

       Logging and Reporting > View Log Files > Appropriate Tab ("Today's Log Files" or "Archived Log Files") > Intrusion Prevention System

    Go to Local DNS Server dns logs

       Windows > System32 > dns

       Search time stamp

    9/26/2017 5:38:38 PM 0920 PACKET  00000018F96D41A0 UDP Rcv 192.168.12.235      4ffc   Q [0001   D   NOERROR] A      (10)taskboards(3)top(0)

       search (3)top or in your case (3)pw  ....   to find the rogue domain

          Ours in this case was taskboards.top

          In logs (3) = . (the last dot)

    Optional to verify

      In browser URL paste domain & watch the intrusion alerts role in on your email alerts.

    Black list domain in UTM

    Search Whois and notify abuse

    Let others know about the rogue domain

    http://www.anti-abuse.org/multi-rbl-check/

    That should take care of it .... make sure you follow through to help others.

Reply
  • 0

    This is how we track this.

    We get the error

    Message........: INDICATOR-COMPROMISE Suspicious .top dns query

    Details........: https://www.snort.org/search?query=43687

    Time...........: 2017-09-27 09:58:05

    Packet dropped.: yes

    Priority.......: low

    Classification.: Misc activity

    IP protocol....: 17 (UDP)

    .

    .

    .

     

    We login to the UTM "logs" or "archived logs" depending on the date time stamp.

    for "Intrusion Prevention"

       Logging and Reporting > View Log Files > Appropriate Tab ("Today's Log Files" or "Archived Log Files") > Intrusion Prevention System

    Go to Local DNS Server dns logs

       Windows > System32 > dns

       Search time stamp

    9/26/2017 5:38:38 PM 0920 PACKET  00000018F96D41A0 UDP Rcv 192.168.12.235      4ffc   Q [0001   D   NOERROR] A      (10)taskboards(3)top(0)

       search (3)top or in your case (3)pw  ....   to find the rogue domain

          Ours in this case was taskboards.top

          In logs (3) = . (the last dot)

    Optional to verify

      In browser URL paste domain & watch the intrusion alerts role in on your email alerts.

    Black list domain in UTM

    Search Whois and notify abuse

    Let others know about the rogue domain

    http://www.anti-abuse.org/multi-rbl-check/

    That should take care of it .... make sure you follow through to help others.

Children
No Data
Unfiltered HTML