cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1654
Views
0
Helpful
3
Replies

IPS Detection

keithcclark71
Level 3
Level 3

I configured my IPS policy by filtering by maleware and selecting "Drop and Block" for all snort rules. I have this event coming up (See atttached) matching one of the rules. Its the internal DNS server it seems being flagged as the attacker and event suggests maleware on it. I have researched all over on this , ran maleware scans, AV is on the server and have come up empty. The research I did suggest this server is part of a botnet but I cant find anything wrong with it and the snort definition states no known false positives. Any ideas here on how I can go about seeing if this is legit or not or where I can find doc on how to remediate?

3 Replies 3

there are few think you can do.

 

1. you can go to the intrusion policy snort rule and either you can disable this rule your snort id 1:57756 (https://attack.mitre.org/techniques/T1568/001/)

https://snort.org/rule_docs/1-57756 or you can Generate the event but not droping the packet.

 

Snort.PNGsnort_doc.PNG

please do not forget to rate.

Marvin Rhoads
Hall of Fame
Hall of Fame

Have you defined your $HOME_NET and @$EXTERNAL_NET variables correctly (Variable set under objects)? The rule seems to indicate it should only flag hosts it believe are external.

I did define the variables as shown in the attached(EXTERNAL defined as exclusion of HOME-NE)

I am stumped and would hate to just turn off the rule if there actually is a legit threat here. I also have another snort rule as shown populating intrusion logs as well. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: