This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

problem with IPs

hy ;

i have problem in the IPS in the UTM 9 so;

the SOPHOS DROP many REQUEST COMING FORM OUR LDAP SERVER

2017:06:15-11:55:17 asl snort[5522]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .tk dns query" group="241" srcip="@IP ldap server" dstip="192.203.230.10" proto="17" srcport="62147" dstport="53" sid="39867" class="Misc activity" priority="3" generator="1" msgid="0"

we already scaned the LDAP with sophos removal and it return the the server is clean

help

This thread was automatically locked due to age.

0 rrosson over 8 years ago

Does the destination IP serve as a DNS server? If you look at the log you posted the destination port is 53 (DNS). All this is saying is that something on your network made a DNS lookup for .tk domain which Sophos UTM blocks. Check out this google search "https://www.google.com/#q=tk+domain+suspicious" for more information and history.
Cancel
Vote Up 0 Vote Down

Cancel
0 minis over 8 years ago in reply to rrosson

thanks for your responce ,

Yes the ip server is an internel DNS

Why the sophos UTM block this request ?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 8 years ago in reply to minis

Salut and welcome to the UTM Community!

In fact, 192.203.230.10 is one of the root name servers, so you might want to consider DNS best practice.

As Ron said, your LDAP server received a DNS request from one of your other internal devices. Since very few honorable domains are in the .tk TLD, the UTMs Advanced Threat Protection blocks such requests and records that in the Intrusion Prevention log. You might want to check the DNS log in your server to see which of your devices might have a malware infection.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel