Hello Muhammed

you are right. x.x.x.x is my internal ip. y.y.y.y is my internal dns ip. Tons of notification I get. I configured ips as detection in case some legitimate web sites would be blocked. I get notification wit Priority 1 and Priority 3

so what is your recommendation what I should do next? when I looked at packet (downloaded from firewall) using wireshark observed that dns query is for (for example rcmjs.um.rambler.ru). there are also dns query for .cc domains

I would recomend to check the host profile of your IP x.x.x.x and see any vulnerability reported for this host in your FMC.

Further review the other websites/domain on  in virus total or Umbrella ( if u have ). I checked in these two and found the domain and website looks clean and less risky. Find attached snapshot.

I would suggest to keep your IPS in monitoring mode for some time, and enable the discovery if not enabled yet so IPS can create host profiles and may list vulnerabilities. Before turning IPS on, fine tune the policy and fix this false positive.

When you say enable discovery you mean Network Discovery? if so I have already enabled it. so I looked at x.x.x.x vulnerable host profile but only saw windows vulnerabilities approximately (vulnerability 300). did I check correct path?

Yes you are right about host profile and network discovery.

It seems false positive to me with the information you shared.  However, monitoring this host for some more days will be better.

I configured IPS as balanced and security. so I decided to activate more rules manually such as IINDICATOR-COMPROMISE Suspicious and made them as Generate Event for now. NOw the question is that do you recommend to change the manually added rules from Generate Event to Drop?

Furthermore this is not happen in single host, this events comes from several hosts. so how can I find the root cause of this issue? I really appreciate your help.thanks

Difficult call, if you see the domain, it looks clean as per Cisco intelligence but connection from multiple hosts to same destination make it suspicious.

Since it is impact 1 event, i would say block it and start investigating it. Maybe visit those hosts Pcs and try to identify whether they are using some application which is making backend connection to the mentioned domain. 

Actually hosts not  try resolve dns for single destination. several hosts want to connect to different destination. I listed them below. all taken from wireshark. The interesting part is that psychologies.ru is legitimate web sites that one of our user visits. if I block this IPS rule this web site will also be blocked right?

tripmydream.cc

rcmjs.um.rambler.ru

www.psychologies.ru

pl.skwstat.ru

zbsng.plenkatv.ru

a.lmcdn.ru

banner.hpmdnetwork.ru

www.nsktv.ru

clcktm.ru

Yes, actually DNS query will block most liekly and website will not open if you enable this rule with Drop and generate event.

The DNS server is behind the Firewall or maybe outside organization right ? if yes then with drop rule, the website will be blocked.

Thank you Muhammed. let me write once more that DNS server is internal. the requests go to internal dns server.

1.Suppose I checked that IPS rules as Drop and user complained that she wants to visit pysicologies.ru web site but she is unable. How can I except only pysicologies.ru web site not to be blocked.?

2. Right now we get lots of email notification about these IPS rules. if I make IPS rules as drop I will also get email notification right? and this is frustrating )

Hi,

I tried to open these websites but never get any suspicous DNS c2 warning. I would suggest to not block it as it can block DNS resolution for these websites when you DNS server sends query externally for the resolution.

you will get notification also even if you make it drop. I would suggest keep this for notification only for now and ad dpolicy to drop malicous website. 

This signature suppose to trigger for dns query to suspicous Command and control websites but web sites look legtimate even in cisco intelligence so not really sure why this even is getting generated at first place

I opend case regarding this issue. I will ask whether I must turn off these rules or not. I have configured Security intelligence for bad dns request but I don't understand why do we need to check bad dns request with IPS. anyway I will ask all questions to Cisco SUpport team. thank you so much Muhammed.

That's great, also itnwill be helpful for every one if you put the response from TAC on it.

Hello

I opened TAC regarding this issue. and they said me if I get lots of intrusion event at first I must to be sure whether it is false positive or not. if it is false positive I can turn single ips rule off which cause lots of notification