02-10-2020 09:02 PM
Dear all. I have configured IPS on firepower and I get such a message very often
[1:28190:4] "INDICATOR-COMPROMISE Suspicious .cc dns query" [Impact: Potentially Vulnerable] From "FIrewall" at Mon Feb 10 13:11:51 2020 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {udp} x.x.x.x:65153 (unknown)->y.y.y.y:53 (unknown)
could anyone tell me what kind of error it is? do you think it is malicious or false positive? how can I know exact reason why message be appeared?
02-10-2020 10:21 PM - edited 02-10-2020 10:23 PM
Hi,
Priority 1 means some thing required your immediate attention. It seems this is for DNS query send by x.x.x.x ( which seems to be your Internal IP, Please confirm ) to external IP y.y.y.y
y.y.y.y is public IP Address ? you can investigate further this Public IP at https://www.virustotal.com/gui/home/url or Cisco Umbrella if you have.
02-10-2020 11:28 PM
Hello Muhammed
you are right. x.x.x.x is my internal ip. y.y.y.y is my internal dns ip. Tons of notification I get. I configured ips as detection in case some legitimate web sites would be blocked. I get notification wit Priority 1 and Priority 3
so what is your recommendation what I should do next? when I looked at packet (downloaded from firewall) using wireshark observed that dns query is for (for example rcmjs.um.rambler.ru). there are also dns query for .cc domains
02-11-2020 12:47 AM
I would recomend to check the host profile of your IP x.x.x.x and see any vulnerability reported for this host in your FMC.
Further review the other websites/domain on in virus total or Umbrella ( if u have ). I checked in these two and found the domain and website looks clean and less risky. Find attached snapshot.
I would suggest to keep your IPS in monitoring mode for some time, and enable the discovery if not enabled yet so IPS can create host profiles and may list vulnerabilities. Before turning IPS on, fine tune the policy and fix this false positive.
02-11-2020 01:10 AM
When you say enable discovery you mean Network Discovery? if so I have already enabled it. so I looked at x.x.x.x vulnerable host profile but only saw windows vulnerabilities approximately (vulnerability 300). did I check correct path?
02-11-2020 03:11 AM
Yes you are right about host profile and network discovery.
It seems false positive to me with the information you shared. However, monitoring this host for some more days will be better.
02-11-2020 03:20 AM
I configured IPS as balanced and security. so I decided to activate more rules manually such as IINDICATOR-COMPROMISE Suspicious and made them as Generate Event for now. NOw the question is that do you recommend to change the manually added rules from Generate Event to Drop?
Furthermore this is not happen in single host, this events comes from several hosts. so how can I find the root cause of this issue? I really appreciate your help.thanks
02-11-2020 04:15 AM
Difficult call, if you see the domain, it looks clean as per Cisco intelligence but connection from multiple hosts to same destination make it suspicious.
Since it is impact 1 event, i would say block it and start investigating it. Maybe visit those hosts Pcs and try to identify whether they are using some application which is making backend connection to the mentioned domain.
02-11-2020 05:12 AM
Actually hosts not try resolve dns for single destination. several hosts want to connect to different destination. I listed them below. all taken from wireshark. The interesting part is that psychologies.ru is legitimate web sites that one of our user visits. if I block this IPS rule this web site will also be blocked right?
tripmydream.cc
rcmjs.um.rambler.ru
pl.skwstat.ru
zbsng.plenkatv.ru
a.lmcdn.ru
banner.hpmdnetwork.ru
clcktm.ru
02-11-2020 06:07 PM
Yes, actually DNS query will block most liekly and website will not open if you enable this rule with Drop and generate event.
The DNS server is behind the Firewall or maybe outside organization right ? if yes then with drop rule, the website will be blocked.
02-11-2020 09:17 PM
Thank you Muhammed. let me write once more that DNS server is internal. the requests go to internal dns server.
1.Suppose I checked that IPS rules as Drop and user complained that she wants to visit pysicologies.ru web site but she is unable. How can I except only pysicologies.ru web site not to be blocked.?
2. Right now we get lots of email notification about these IPS rules. if I make IPS rules as drop I will also get email notification right? and this is frustrating )
02-12-2020 12:26 AM
Hi,
I tried to open these websites but never get any suspicous DNS c2 warning. I would suggest to not block it as it can block DNS resolution for these websites when you DNS server sends query externally for the resolution.
you will get notification also even if you make it drop. I would suggest keep this for notification only for now and ad dpolicy to drop malicous website.
This signature suppose to trigger for dns query to suspicous Command and control websites but web sites look legtimate even in cisco intelligence so not really sure why this even is getting generated at first place
02-12-2020 01:42 AM
I opend case regarding this issue. I will ask whether I must turn off these rules or not. I have configured Security intelligence for bad dns request but I don't understand why do we need to check bad dns request with IPS. anyway I will ask all questions to Cisco SUpport team. thank you so much Muhammed.
02-12-2020 02:16 AM
That's great, also itnwill be helpful for every one if you put the response from TAC on it.
02-17-2020 02:19 AM
Hello
I opened TAC regarding this issue. and they said me if I get lots of intrusion event at first I must to be sure whether it is false positive or not. if it is false positive I can turn single ips rule off which cause lots of notification
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide