[SIZE="2"]
Hello everyone,
I downloaded and setup a home firewall with Sophos UTM 9.305-4. I also activated the IPS subsystem (SNORT). But when I tried to use DNS Benchmark program (https://www.grc.com/dns/benchmark.htm) it triggered IPS with the following:[/SIZE]
[SIZE="2"]2014:12:25-10:57:27 firewall snort[16150]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected" group="241" srcip="10.0.0.3" dstip="68.4.16.25" proto="17" srcport="63828" dstport="53" sid="26267" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
. . .
2014:12:25-10:57:30 firewall snort[16150]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected" group="241" srcip="10.0.0.3" dstip="199.2.252.10" proto="17" srcport="63828" dstport="53" sid="26267" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"[/SIZE]
[SIZE="2"]I tried to disable RULE 2101 in “Manual rule modification” | “Modified rules” by setting it to “disabled”. I also tried changing in “Attack Patterns” all actions from "Drop" to “Alert”.
In both cases the IPS still blocks the program and the mentioned lines still appear in the log.
What am I doing wrong? How could I disable this IDS rule without stopping the whole system?[/SIZE]
This thread was automatically locked due to age.
