Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 9285 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False Intrusion alarms

SteveHart

We're getting many false alarms out of our Instrusion Detection.

Example:

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: INDICATOR-COMPROMISE Suspicious .tk dns query
Details........: www.snort.org/search
Time...........: 2016-09-13 01:24:27
Packet dropped.: yes
Priority.......: high
Classification.: A Network Trojan was Detected IP protocol....: 17 (UDP)

Source IP address: 10.10.60.26 (corp-dc03a.wrightbg.com) Source port: 59607 Destination IP address: 216.136.95.2 (ns1.twtelecom.net) Destination port: 53 (domain)

--
HA Status : HA MASTER (node id: 1)
System Uptime : 9 days 11 hours 20 minutes
System Load : 0.27
System Version : Sophos UTM 9.405-5

Please refer to the manual for detailed instructions.

---


10.10.60.26 is one of our internal DNS servers. Looking through the logs there, the requests are coming from our SpamTitan anti-spam box. The DNS requests are for the servers that they use for email testing. The requests are perfectly legit.

Is there a way to somehow "whitelist" these remote servers, so the intrusion detection doesn't block them?



This thread was automatically locked due to age.
Parents
  • +1

    I don't think you can whitelist the specific server. What you can do is make an exception on rule 39867 (the rule that is triggered by this DNS request)

    Do so in Network protection -> Intrustion prevention -> Advanced -> Manual rule modification.

    There you can disable the specific rule or let the specific rule only Alert and not drop.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    That's sounds like a plan.

     

    THANK YOU!

Reply Children
  • 0 in reply to SteveHart

    I would not do that to be honest.

    What you want to do really is to set up your UTM as a main DNS server, than setup DNS forwarder for your domain suffix (ie. contoso.local -> contoso DC(s)). This way each client on the network will ask your UTM for DNS resolution first and it will be visible right away if there is any infected host. For any internal domain queries your UTM will forward requests to your DC for resolution.

    Best approach in my opinion.

  • 0 in reply to JohnSmith4

    Agreed, John, better to get the warning.  In general, I still prefer the approach outlined in DNS best practice, but it can be modified temporarily when there's this kind of problem and the internal name server doesn't have good, complete logs.  Just have DHCP assign the UTM first until you find the culprit and then change it back.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML