Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 9011 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

problem with IPs

minis

hy ;

 

i have problem in the IPS in the UTM 9 so;

the SOPHOS DROP  many REQUEST COMING FORM OUR LDAP SERVER

 

2017:06:15-11:55:17 asl snort[5522]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .tk dns query" group="241" srcip="@IP ldap server" dstip="192.203.230.10" proto="17" srcport="62147" dstport="53" sid="39867" class="Misc activity" priority="3" generator="1" msgid="0"
we already scaned the LDAP with sophos removal and it return the the server is clean
 
help


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to minis

    Salut and welcome to the UTM Community!

    In fact, 192.203.230.10 is one of the root name servers, so you might want to consider DNS best practice.

    As Ron said, your LDAP server received a DNS request from one of your other internal devices.  Since very few honorable domains are in the .tk TLD, the UTMs Advanced Threat Protection blocks such requests and records that in the Intrusion Prevention log.  You might want to check the DNS log in your server to see which of your devices might have a malware infection.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML