cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

672
Views
10
Helpful
14
Replies
Highlighted
Participant

INDICATOR-COMPROMISE Suspicious .cc dns query

 

Dear all. I have configured IPS on firepower and I get such a message very often

[1:28190:4] "INDICATOR-COMPROMISE Suspicious .cc dns query" [Impact: Potentially Vulnerable] From "FIrewall" at Mon Feb 10 13:11:51 2020 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {udp} x.x.x.x:65153 (unknown)->y.y.y.y:53 (unknown)

could anyone tell me what kind of error it is? do you think it is malicious or false positive? how can I know exact reason why message be appeared?

14 REPLIES 14
Highlighted

Re: INDICATOR-COMPROMISE Suspicious .cc dns query

Hi,

 

Priority 1 means some thing required your immediate attention. It seems this is for DNS query send by x.x.x.x ( which seems to be your Internal IP, Please confirm ) to external IP y.y.y.y

 

y.y.y.y is public IP Address ? you can investigate further this Public IP at https://www.virustotal.com/gui/home/url or Cisco Umbrella if you have. 

 

Highlighted
Participant

Re: INDICATOR-COMPROMISE Suspicious .cc dns query

Hello Muhammed

you are right. x.x.x.x is my internal ip. y.y.y.y is my internal dns ip. Tons of notification I get. I configured ips as detection in case some legitimate web sites would be blocked. I get notification wit Priority 1 and Priority 3

so what is your recommendation what I should do next? when I looked at packet (downloaded from firewall) using wireshark observed that dns query is for (for example rcmjs.um.rambler.ru). there are also dns query for .cc domains

Highlighted

Re: INDICATOR-COMPROMISE Suspicious .cc dns query

I would recomend to check the host profile of your IP x.x.x.x and see any vulnerability reported for this host in your FMC.

 

Further review the other websites/domain on  in virus total or Umbrella ( if u have ). I checked in these two and found the domain and website looks clean and less risky. Find attached snapshot.

 

I would suggest to keep your IPS in monitoring mode for some time, and enable the discovery if not enabled yet so IPS can create host profiles and may list vulnerabilities. Before turning IPS on, fine tune the policy and fix this false positive.

 

 

Highlighted
Participant

Re: INDICATOR-COMPROMISE Suspicious .cc dns query

When you say enable discovery you mean Network Discovery? if so I have already enabled it. so I looked at x.x.x.x vulnerable host profile but only saw windows vulnerabilities approximately (vulnerability 300). did I check correct path?

Highlighted

Re: INDICATOR-COMPROMISE Suspicious .cc dns query

Yes you are right about host profile and network discovery.

 

It seems false positive to me with the information you shared.  However, monitoring this host for some more days will be better.

Highlighted
Participant

Re: INDICATOR-COMPROMISE Suspicious .cc dns query

I configured IPS as balanced and security. so I decided to activate more rules manually such as IINDICATOR-COMPROMISE Suspicious and made them as Generate Event for now. NOw the question is that do you recommend to change the manually added rules from Generate Event to Drop?

Furthermore this is not happen in single host, this events comes from several hosts. so how can I find the root cause of this issue? I really appreciate your help.thanks

Highlighted

Re: INDICATOR-COMPROMISE Suspicious .cc dns query

Difficult call, if you see the domain, it looks clean as per Cisco intelligence but connection from multiple hosts to same destination make it suspicious.

 

Since it is impact 1 event, i would say block it and start investigating it. Maybe visit those hosts Pcs and try to identify whether they are using some application which is making backend connection to the mentioned domain. 

Highlighted
Participant

Re: INDICATOR-COMPROMISE Suspicious .cc dns query

Actually hosts not  try resolve dns for single destination. several hosts want to connect to different destination. I listed them below. all taken from wireshark. The interesting part is that psychologies.ru is legitimate web sites that one of our user visits. if I block this IPS rule this web site will also be blocked right?

 

tripmydream.cc

rcmjs.um.rambler.ru

www.psychologies.ru

pl.skwstat.ru

zbsng.plenkatv.ru

a.lmcdn.ru

banner.hpmdnetwork.ru

www.nsktv.ru

clcktm.ru

Highlighted

Re: INDICATOR-COMPROMISE Suspicious .cc dns query

Yes, actually DNS query will block most liekly and website will not open if you enable this rule with Drop and generate event.

 

The DNS server is behind the Firewall or maybe outside organization right ? if yes then with drop rule, the website will be blocked.

Highlighted
Participant

Re: INDICATOR-COMPROMISE Suspicious .cc dns query

Thank you Muhammed. let me write once more that DNS server is internal. the requests go to internal dns server.

1.Suppose I checked that IPS rules as Drop and user complained that she wants to visit pysicologies.ru web site but she is unable. How can I except only pysicologies.ru web site not to be blocked.?

2. Right now we get lots of email notification about these IPS rules. if I make IPS rules as drop I will also get email notification right? and this is frustrating )

Highlighted

Re: INDICATOR-COMPROMISE Suspicious .cc dns query

Hi,

 

I tried to open these websites but never get any suspicous DNS c2 warning. I would suggest to not block it as it can block DNS resolution for these websites when you DNS server sends query externally for the resolution.

 

you will get notification also even if you make it drop. I would suggest keep this for notification only for now and ad dpolicy to drop malicous website. 

 

This signature suppose to trigger for dns query to suspicous Command and control websites but web sites look legtimate even in cisco intelligence so not really sure why this even is getting generated at first place

 

 

Highlighted
Participant

Re: INDICATOR-COMPROMISE Suspicious .cc dns query

I opend case regarding this issue. I will ask whether I must turn off these rules or not. I have configured Security intelligence for bad dns request but I don't understand why do we need to check bad dns request with IPS. anyway I will ask all questions to Cisco SUpport team. thank you so much Muhammed.

Highlighted

Re: INDICATOR-COMPROMISE Suspicious .cc dns query

That's great, also itnwill be helpful for every one if you put the response from TAC on it.

Highlighted
Participant

Re: INDICATOR-COMPROMISE Suspicious .cc dns query

Hello

I opened TAC regarding this issue. and they said me if I get lots of intrusion event at first I must to be sure whether it is false positive or not. if it is false positive I can turn single ips rule off which cause lots of notification