Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 5 subscribers
  • Views 17114 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Message........: INDICATOR-COMPROMISE Suspicious .ml dns query on www.google.ml

R0n1

when accessing the legitimate site of google.ml Intrusion Prevention blocks it:

 

Intrusion Prevention Alert

 

An intrusion has been detected. The packet has been dropped automatically.

You can toggle this rule between "drop" and "alert only" in WebAdmin.

 

Details about the intrusion alert:

Message........: INDICATOR-COMPROMISE Suspicious .ml dns query 



This thread was automatically locked due to age.
Parents
  • 0

    We are seeing the same thing except one difference.  Ours has the source IP as either of our internal DNS servers to x.root-servers.net or DNS servers for our ISP.  We have seen this on multiple releases of UTM 9 firmware and not just since we upgraded. We are currently running 9.408-4.   Below is an example.

    2016:11:17-06:37:57 sophos-sct-2 snort[22800]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query" group="241" srcip="10.13.69.6" dsp="10.12.0.72" proto="17" srcport="64490" dstport="53" sid="39866" class="Misc activity" priority="3" generator="1" msgid="0"
    2016:11:17-06:38:01 sophos-sct-2 snort[22800]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query" group="241" srcip="10.13.69.6" dsp="10.12.0.102" proto="17" srcport="64490" dstport="53" sid="39866" class="Misc activity" priority="3" generator="1" msgid="0"
    2016:11:17-06:38:05 sophos-sct-2 snort[22800]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query" group="241" srcip="10.13.69.6" dsp="199.7.91.13" proto="17" srcport="64329" dstport="53" sid="39866" class="Misc activity" priority="3" generator="1" msgid="0".
    We also get some that look the same, but are .tk dns query instead of .ml dns query. 
     
    Is this caused by someone on the network browsing the web and causing this?  I have tried to look at the DNS logs on our internal server but I am having issues trying to figure out if this is the case.  
     
    We also get around 200-250 port scans per day from those ISP DNS servers to our web server.  I still haven't figured that out.   
Reply
  • 0

    We are seeing the same thing except one difference.  Ours has the source IP as either of our internal DNS servers to x.root-servers.net or DNS servers for our ISP.  We have seen this on multiple releases of UTM 9 firmware and not just since we upgraded. We are currently running 9.408-4.   Below is an example.

    2016:11:17-06:37:57 sophos-sct-2 snort[22800]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query" group="241" srcip="10.13.69.6" dsp="10.12.0.72" proto="17" srcport="64490" dstport="53" sid="39866" class="Misc activity" priority="3" generator="1" msgid="0"
    2016:11:17-06:38:01 sophos-sct-2 snort[22800]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query" group="241" srcip="10.13.69.6" dsp="10.12.0.102" proto="17" srcport="64490" dstport="53" sid="39866" class="Misc activity" priority="3" generator="1" msgid="0"
    2016:11:17-06:38:05 sophos-sct-2 snort[22800]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .ml dns query" group="241" srcip="10.13.69.6" dsp="199.7.91.13" proto="17" srcport="64329" dstport="53" sid="39866" class="Misc activity" priority="3" generator="1" msgid="0".
    We also get some that look the same, but are .tk dns query instead of .ml dns query. 
     
    Is this caused by someone on the network browsing the web and causing this?  I have tried to look at the DNS logs on our internal server but I am having issues trying to figure out if this is the case.  
     
    We also get around 200-250 port scans per day from those ISP DNS servers to our web server.  I still haven't figured that out.   
Children
No Data