Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Message........: INDICATOR-COMPROMISE Suspicious .ml dns query on www.google.ml

when accessing the legitimate site of google.ml Intrusion Prevention blocks it:

 

Intrusion Prevention Alert

 

An intrusion has been detected. The packet has been dropped automatically.

You can toggle this rule between "drop" and "alert only" in WebAdmin.

 

Details about the intrusion alert:

Message........: INDICATOR-COMPROMISE Suspicious .ml dns query 



This thread was automatically locked due to age.
Parents
  • Ronald, please show us the corresponding line from the Intrusion Prevention log file.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Here it is, when browsing to www.google.ml :

    2016:11:16-18:54:39 gateway-1 snort[5688]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query " group="241" srcip="192.168.1.249" dstip="192.168.1.205" proto="17" srcport="56519" dstport="53" sid="39866" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
    2016:11:16-18:54:39 gateway-1 snort[5691]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query " group="241" srcip="192.168.1.6" dstip="192.168.1.205" proto="17" srcport="34151" dstport="53" sid="39866" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
    2016:11:16-18:54:43 gateway-1 snort[5691]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query " group="241" srcip="192.168.1.250" dstip="199.7.91.13" proto="17" srcport="62206" dstport="53" sid="39866" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
  • That's not happening here, so maybe you do have a problem.

    I'm surprised to see traffic from 192.168.1.249 and .6 to 192.168.1.205 showing up here  Is the 192.168.1.0/24 subnet defined on a bridge?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    That's strange, i am able to reproduce it on a pretty straightforward out of the box SG install ,

    2016:11:17-08:20:57 gateway snort[32593]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query " group="241" srcip="172.16.29.20" dstip="172.16.29.254" proto="17" srcport="51598" dstport="53" sid="39866" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
    2016:11:17-08:21:04 gateway snort[32593]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query " group="241" srcip="172.16.29.20" dstip="172.16.29.254" proto="17" srcport="53483" dstport="53" sid="39866" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
    2016:11:17-08:21:08 gateway snort[32593]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query " group="241" srcip="172.16.29.20" dstip="172.16.29.254" proto="17" srcport="52843" dstport="53" sid="39866" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
    2016:11:17-08:21:15 gateway snort[32593]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query " group="241" srcip="172.16.29.20" dstip="172.16.29.254" proto="17" srcport="52298" dstport="53" sid="39866" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
  • On firmware 9.404-5 : the issue does not occur, upgraded firmware to 9.408 : issue appears

Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?