Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 9009 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

problem with IPs

minis

hy ;

 

i have problem in the IPS in the UTM 9 so;

the SOPHOS DROP  many REQUEST COMING FORM OUR LDAP SERVER

 

2017:06:15-11:55:17 asl snort[5522]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .tk dns query" group="241" srcip="@IP ldap server" dstip="192.203.230.10" proto="17" srcport="62147" dstport="53" sid="39867" class="Misc activity" priority="3" generator="1" msgid="0"
we already scaned the LDAP with sophos removal and it return the the server is clean
 
help


This thread was automatically locked due to age.
Parents
  • 0

    Does the destination IP serve as a DNS server? If you look at the log you posted the destination port is 53 (DNS). All this is saying is that something on your network made a DNS lookup for .tk domain which Sophos UTM blocks. Check out this google search "https://www.google.com/#q=tk+domain+suspicious" for more information and history.

  • 0 in reply to rrosson

    thanks for your responce ,

    Yes the ip server is an internel DNS 

    Why the sophos UTM block this request ?

  • 0 in reply to minis

    Salut and welcome to the UTM Community!

    In fact, 192.203.230.10 is one of the root name servers, so you might want to consider DNS best practice.

    As Ron said, your LDAP server received a DNS request from one of your other internal devices.  Since very few honorable domains are in the .tk TLD, the UTMs Advanced Threat Protection blocks such requests and records that in the Intrusion Prevention log.  You might want to check the DNS log in your server to see which of your devices might have a malware infection.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to minis

    Salut and welcome to the UTM Community!

    In fact, 192.203.230.10 is one of the root name servers, so you might want to consider DNS best practice.

    As Ron said, your LDAP server received a DNS request from one of your other internal devices.  Since very few honorable domains are in the .tk TLD, the UTMs Advanced Threat Protection blocks such requests and records that in the Intrusion Prevention log.  You might want to check the DNS log in your server to see which of your devices might have a malware infection.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML