IPS Detection

keithcclark71 · ‎06-22-2021

I configured my IPS policy by filtering by maleware and selecting "Drop and Block" for all snort rules. I have this event coming up (See atttached) matching one of the rules. Its the internal DNS server it seems being flagged as the attacker and event suggests maleware on it. I have researched all over on this , ran maleware scans, AV is on the server and have come up empty. The research I did suggest this server is part of a botnet but I cant find anything wrong with it and the snort definition states no known false positives. Any ideas here on how I can go about seeing if this is legit or not or where I can find doc on how to remediate?

Sheraz.Salim · ‎06-23-2021

there are few think you can do.

1. you can go to the intrusion policy snort rule and either you can disable this rule your snort id 1:57756 (https://attack.mitre.org/techniques/T1568/001/)

https://snort.org/rule_docs/1-57756 or you can Generate the event but not droping the packet.

please do not forget to rate.

Marvin Rhoads · ‎06-23-2021

Have you defined your $HOME_NET and @$EXTERNAL_NET variables correctly (Variable set under objects)? The rule seems to indicate it should only flag hosts it believe are external.

keithcclark71 · ‎06-23-2021

I did define the variables as shown in the attached(EXTERNAL defined as exclusion of HOME-NE)

I am stumped and would hate to just turn off the rule if there actually is a legit threat here. I also have another snort rule as shown populating intrusion logs as well.