Firesight classifying .pw dns requests as trojan detected

evan.chadwick1 · ‎06-23-2016

Anyone have some experience with IPS id 28039 which flags any dns request to domains ending in .pw as a trojan detected?

A google will tell you about the .pw domain.

I'm thinking to threshold it, so if say 5 requests within a minute are made to a .pw then I want to know about it.

Thoughts?

Pujita Patni · ‎06-23-2016

Hi Evan,

Using any .pw dns query triggers the 'INDICATOR-COMPROMISE Suspicious .pw DNS Query'.

Thats SID (1:28039).

You can disable the Rule in your Intrusion Policy if you want.

Thanks,

Pujita

evan.chadwick1 · ‎06-23-2016

Thats kind of helpful, but if I know about thresholds I know about disabling too.

I'm hoping to kick off a discussion about how best fine tune without disabling alot. Perhaps some experience from the real world. Ie, balanced security and team viewer is pretty agressive and if you use teamviewer in your organisation you need to consider tweaking

I also don't want to be responsible for disabling Cisco defaults for more than I have too.

I am using balanced security with connectivity. I think Cisco have it wrong to classify what I believe are websites directing a users browser to look up a url that contains a .pw domain as a network trojan.

Jetsy Mathew · ‎06-24-2016

Hello Evan,

We need to check the pcap to know if its false alert or not.

Based on that we can perform the fine tunning without disabling the rule.

I have dealt with a similar case . This type of event only specifies that a suspicious DNS request was sent from the x.x.x.x address to the y.y.y.y address. The suspicious DNS request could be an indicator of compromise of the x.x.x.x system since .pw is a known suspicious/malicious TLD.

Either provide the pcap or you need to open a TAC request to confirm if its a false positive or not.

Rate if this post helps you.

Regards

Jetsy

Chekol Retta · ‎06-25-2018

@Jetsy Mathew wrote:

Hello Evan,

We need to check the pcap to know if its false alert or not.

Based on that we can perform the fine tunning without disabling the rule.

I have dealt with a similar case . This type of event only specifies that a suspicious DNS request was sent from the x.x.x.x address to the y.y.y.y address. The suspicious DNS request could be an indicator of compromise of the x.x.x.x system since .pw is a known suspicious/malicious TLD.

Either provide the pcap or you need to open a TAC request to confirm if its a false positive or not.

Rate if this post helps you.

Regards

Jetsy

This post is old but I hope someone will be able to reply. I am in the same situation. I got the pcap file. I am wondering if someone can take a look at the capture.

evan.chadwick1 · ‎06-26-2016

A real world example of how Cisco Firepower seems to conflict itself. I'm using balanced security with email alerting for vulnerable and potentially vulnerable.

When browsing www.wc.pw

A network trojan alert is emailed triggering a potentially vulnerable alert

the domain is, wc.pw (a wrestling site)

brightcloud classifies it as 'society' with reputation level of 80 and low risk

Firepower displays the site as 'business relevance' Very High

Jetsy Mathew · ‎06-26-2016

Hello Evan,

Do you think the bright cloud classifies wrong ?

If so , you can request re-categorization in the following url. They will consider your request and re-cateogarize it to a proper one.

https://brightcloud.com/tools/url-ip-lookup.php

Regards

Jetsy