Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 9284 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False Intrusion alarms

SteveHart

We're getting many false alarms out of our Instrusion Detection.

Example:

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: INDICATOR-COMPROMISE Suspicious .tk dns query
Details........: www.snort.org/search
Time...........: 2016-09-13 01:24:27
Packet dropped.: yes
Priority.......: high
Classification.: A Network Trojan was Detected IP protocol....: 17 (UDP)

Source IP address: 10.10.60.26 (corp-dc03a.wrightbg.com) Source port: 59607 Destination IP address: 216.136.95.2 (ns1.twtelecom.net) Destination port: 53 (domain)

--
HA Status : HA MASTER (node id: 1)
System Uptime : 9 days 11 hours 20 minutes
System Load : 0.27
System Version : Sophos UTM 9.405-5

Please refer to the manual for detailed instructions.

---


10.10.60.26 is one of our internal DNS servers. Looking through the logs there, the requests are coming from our SpamTitan anti-spam box. The DNS requests are for the servers that they use for email testing. The requests are perfectly legit.

Is there a way to somehow "whitelist" these remote servers, so the intrusion detection doesn't block them?



This thread was automatically locked due to age.
  • 0

    Hi Steve,

    Make sure the pattern is up2date. Add all internal HTTP, DNS, SMTP and SQL Servers to the appropriate dialog box in the 'Advanced' section for IPS configuration.

    Finally, scan the DNS server to make sure it is not compromised.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    We've verified that the DNS are made by the spam-titan server. These are legitimate DNS requests. How do we find out why a server is flagged by Sophos?

  • 0 in reply to SteveHart

    Hi Steve,

    As you see in the reports you get the source IP address of the infected device. Configure an exception for the same if you are sure that is a false positive.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I've thought of that but since these are DNS alerts, the IP listed is our DNS server. These particular requests from our email gateway are false positives, but other requests from malwared machines will come through same DNS server.

    How can a stop the false positives without disabling any true alerts?

  • +1

    I don't think you can whitelist the specific server. What you can do is make an exception on rule 39867 (the rule that is triggered by this DNS request)

    Do so in Network protection -> Intrustion prevention -> Advanced -> Manual rule modification.

    There you can disable the specific rule or let the specific rule only Alert and not drop.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    That's sounds like a plan.

     

    THANK YOU!

  • 0 in reply to SteveHart

    I would not do that to be honest.

    What you want to do really is to set up your UTM as a main DNS server, than setup DNS forwarder for your domain suffix (ie. contoso.local -> contoso DC(s)). This way each client on the network will ask your UTM for DNS resolution first and it will be visible right away if there is any infected host. For any internal domain queries your UTM will forward requests to your DC for resolution.

    Best approach in my opinion.

  • 0 in reply to JohnSmith4

    Agreed, John, better to get the warning.  In general, I still prefer the approach outlined in DNS best practice, but it can be modified temporarily when there's this kind of problem and the internal name server doesn't have good, complete logs.  Just have DHCP assign the UTM first until you find the culprit and then change it back.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML