We're getting many false alarms out of our Instrusion Detection.
Example:
Intrusion Prevention Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: INDICATOR-COMPROMISE Suspicious .tk dns query
Details........: www.snort.org/search
Time...........: 2016-09-13 01:24:27
Packet dropped.: yes
Priority.......: high
Classification.: A Network Trojan was Detected IP protocol....: 17 (UDP)
Source IP address: 10.10.60.26 (corp-dc03a.wrightbg.com) Source port: 59607 Destination IP address: 216.136.95.2 (ns1.twtelecom.net) Destination port: 53 (domain)
--
HA Status : HA MASTER (node id: 1)
System Uptime : 9 days 11 hours 20 minutes
System Load : 0.27
System Version : Sophos UTM 9.405-5
Please refer to the manual for detailed instructions.
---
10.10.60.26 is one of our internal DNS servers. Looking through the logs there, the requests are coming from our SpamTitan anti-spam box. The DNS requests are for the servers that they use for email testing. The requests are perfectly legit.
Is there a way to somehow "whitelist" these remote servers, so the intrusion detection doesn't block them?
This thread was automatically locked due to age.
