How to create an exception for a site that I am getting an INDICATOR-COMPROMISE Suspicious .pw error

Hi, Brian, and welcome to the UTM Community!

I'm not familiar with that, so I suspect that it's a bit different from what you wrote - please show a picture of the message.

Cheers - Bob

Here is part of the message in the Intrusion Prevention System Log.   if you need anything else, let me know.   I am trying to access a URL with the .pw extension...

I was not able to find an actual .pw site.  I would suspect the error is an actual DNS issue rather than an IPS issue.

Here is the site I am trying to access.  I can access the site by going around the UTM or turning off the IPS.

http://vector.pw

Thanks

Brian

"DNS query" was the missing detail, Brian.  There are some top-level domains (TLDs) that are known to be used primarily for nefarious activities, so Advanced Threat Protection flags the DNS query and this block is reported in the Intrusion Prevention log.  I suspect that you could have disabled ATP instead of Snort and then been able to do the DNS query.

Google tld pw and you will see what the problem is.  The domain vector.pw has now been completely removed and is no longer available for registration.  If your PC or UTM still has an IP for that, you can see where it is at http://www.ip2location.com/demo.

Most people prefer to Block a TLD when they get this warning.

Cheers - Bob

"DNS query" was the missing detail, Brian.  There are some top-level domains (TLDs) that are known to be used primarily for nefarious activities, so Advanced Threat Protection flags the DNS query and this block is reported in the Intrusion Prevention log.  I suspect that you could have disabled ATP instead of Snort and then been able to do the DNS query.

Google tld pw and you will see what the problem is.  The domain vector.pw has now been completely removed and is no longer available for registration.  If your PC or UTM still has an IP for that, you can see where it is at http://www.ip2location.com/demo.

Most people prefer to Block a TLD when they get this warning.

Cheers - Bob

Sorry,  I typed in the wrong URL.  It was 

http://vectors.pw

Brian

If you want to see what Web Filtering thinks of a URL, try TrustedSource - Check Single URL, specifying the "SmartFilter XL" product.  If you want to see when and where the domain was registered, try http://centralops.net/co/DomainDossier.aspx.

Cheers - Bob

It looks fine when I run.  Online Shopping.   Is there a way to  use an exception for this URL?

Thanks

Brian

Hi

using my XG as an internet access that site fires up correctly but diverts to Amazon.

Just tried to access that site using my UTM and that worked, some areas loaded very quickly and others extremely slow.

My UTM is setup to be the DNS, with http proxy in transparent mode.

You can, Brian:

Cheers - Bob

I added it to the exceptions and it still is not working.  

I think I mentioned earlier that this is Advanced Threat Protection that reports in the Intrusion Prevention log for this type of issue.  Other types are reported in different logs.  The only way around this issue that I can imagine is the Host definition I suggested above.

Cheers - Bob