Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 5 subscribers
  • Views 17094 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Message........: INDICATOR-COMPROMISE Suspicious .ml dns query on www.google.ml

R0n1

when accessing the legitimate site of google.ml Intrusion Prevention blocks it:

 

Intrusion Prevention Alert

 

An intrusion has been detected. The packet has been dropped automatically.

You can toggle this rule between "drop" and "alert only" in WebAdmin.

 

Details about the intrusion alert:

Message........: INDICATOR-COMPROMISE Suspicious .ml dns query 



This thread was automatically locked due to age.
  • 0

    Ronald, please show us the corresponding line from the Intrusion Prevention log file.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Here it is, when browsing to www.google.ml :

    2016:11:16-18:54:39 gateway-1 snort[5688]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query " group="241" srcip="192.168.1.249" dstip="192.168.1.205" proto="17" srcport="56519" dstport="53" sid="39866" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2016:11:16-18:54:39 gateway-1 snort[5691]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query " group="241" srcip="192.168.1.6" dstip="192.168.1.205" proto="17" srcport="34151" dstport="53" sid="39866" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2016:11:16-18:54:43 gateway-1 snort[5691]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query " group="241" srcip="192.168.1.250" dstip="199.7.91.13" proto="17" srcport="62206" dstport="53" sid="39866" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
  • 0 in reply to R0n1

    That's not happening here, so maybe you do have a problem.

    I'm surprised to see traffic from 192.168.1.249 and .6 to 192.168.1.205 showing up here  Is the 192.168.1.0/24 subnet defined on a bridge?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    That's strange, i am able to reproduce it on a pretty straightforward out of the box SG install ,

    2016:11:17-08:20:57 gateway snort[32593]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query " group="241" srcip="172.16.29.20" dstip="172.16.29.254" proto="17" srcport="51598" dstport="53" sid="39866" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2016:11:17-08:21:04 gateway snort[32593]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query " group="241" srcip="172.16.29.20" dstip="172.16.29.254" proto="17" srcport="53483" dstport="53" sid="39866" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2016:11:17-08:21:08 gateway snort[32593]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query " group="241" srcip="172.16.29.20" dstip="172.16.29.254" proto="17" srcport="52843" dstport="53" sid="39866" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2016:11:17-08:21:15 gateway snort[32593]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query " group="241" srcip="172.16.29.20" dstip="172.16.29.254" proto="17" srcport="52298" dstport="53" sid="39866" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
  • 0 in reply to R0n1

    On firmware 9.404-5 : the issue does not occur, upgraded firmware to 9.408 : issue appears

  • 0

    We are seeing the same thing except one difference.  Ours has the source IP as either of our internal DNS servers to x.root-servers.net or DNS servers for our ISP.  We have seen this on multiple releases of UTM 9 firmware and not just since we upgraded. We are currently running 9.408-4.   Below is an example.

    2016:11:17-06:37:57 sophos-sct-2 snort[22800]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query" group="241" srcip="10.13.69.6" dsp="10.12.0.72" proto="17" srcport="64490" dstport="53" sid="39866" class="Misc activity" priority="3" generator="1" msgid="0"
    2016:11:17-06:38:01 sophos-sct-2 snort[22800]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query" group="241" srcip="10.13.69.6" dsp="10.12.0.102" proto="17" srcport="64490" dstport="53" sid="39866" class="Misc activity" priority="3" generator="1" msgid="0"
    2016:11:17-06:38:05 sophos-sct-2 snort[22800]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query" group="241" srcip="10.13.69.6" dsp="199.7.91.13" proto="17" srcport="64329" dstport="53" sid="39866" class="Misc activity" priority="3" generator="1" msgid="0".
    We also get some that look the same, but are .tk dns query instead of .ml dns query. 
     
    Is this caused by someone on the network browsing the web and causing this?  I have tried to look at the DNS logs on our internal server but I am having issues trying to figure out if this is the case.  
     
    We also get around 200-250 port scans per day from those ISP DNS servers to our web server.  I still haven't figured that out.   
  • 0 in reply to BAlfson

    google.ml is also browsable from where I am also behind Sophos (UTM not XG though).

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML