cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

621
Views
0
Helpful
1
Replies
Highlighted
Participant

Cisco Firepower - BLACKLIST DNS reverse lookup

Hi,

I have a Cisco Firepower module installed in my Cisco 5585 firewall.  I have started getting these messages over the last week but dont know where they originate from

Subject: **Auto Generated Email** -- [1:31600:1] "BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba" [Impact: Vulnerable]

 

[1:31600:1] "BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba" [Impact: Vulnerable] From "firepowerw.MYNETWORK.net" at Wed Aug 16 14:32:13 2017 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {udp} 1.2.3.4:53 (united kingdom)->192.1.2.3:21941 (unknown)

This is a dns address external to my network from my internet provider - 1.2.3.4:53 

This is on my dmz - 192.1.2.3:21941 (unknown) - its an ISA server 

any ideas where to start

thanks, Kevin

1 REPLY 1
Highlighted

I have same problem.
someone inside your network query your dns for this domain.
your dns do not know about this domain and queries outside dns.
Firepower catch dns query from your dns server to outside dns servers.
So i think you should enable logging on your dns server and search there who from your internal network make this query.
Content for Community-Ad