topic Re: IPS Detection in Network Security

IPS Detection

keithcclark71 — Tue, 22 Jun 2021 17:48:15 GMT

I configured my IPS policy by filtering by maleware and selecting "Drop and Block" for all snort rules. I have this event coming up (See atttached) matching one of the rules. Its the internal DNS server it seems being flagged as the attacker and event suggests maleware on it. I have researched all over on this , ran maleware scans, AV is on the server and have come up empty. The research I did suggest this server is part of a botnet but I cant find anything wrong with it and the snort definition states no known false positives. Any ideas here on how I can go about seeing if this is legit or not or where I can find doc on how to remediate?

Re: IPS Detection

Sheraz.Salim — Wed, 23 Jun 2021 07:23:55 GMT

there are few think you can do.

1. you can go to the intrusion policy snort rule and either you can disable this rule your snort id 1:57756 (https://attack.mitre.org/techniques/T1568/001/)

https://snort.org/rule_docs/1-57756 or you can Generate the event but not droping the packet.

Re: IPS Detection

Marvin Rhoads — Wed, 23 Jun 2021 08:21:31 GMT

Have you defined your $HOME_NET and @$EXTERNAL_NET variables correctly (Variable set under objects)? The rule seems to indicate it should only flag hosts it believe are external.

Re: IPS Detection

keithcclark71 — Wed, 23 Jun 2021 12:49:30 GMT

I did define the variables as shown in the attached(EXTERNAL defined as exclusion of HOME-NE)

I am stumped and would hate to just turn off the rule if there actually is a legit threat here. I also have another snort rule as shown populating intrusion logs as well.