cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1433
Views
10
Helpful
3
Replies

IPS/IDS - Firepower ( Intrusions Events )

JRDIAZ758
Beginner
Beginner

we are seeing a lot of the messages below when looking at the reports, Does anyone know what they mean? do we need to take any action

 

Cleared DELETED BLACKLIST DNS request for known malware domain  

 

image.png

 

3 Replies 3

Greg Smalley
Beginner
Beginner

You may have a compromised host as it appears a computer on your network is making requests to known Malware domains.  First you need to find out which hosts are making these requests.  Analysis->Intrusion Events should show you the events in question. (Be aware that it may show your local DNS server making the request on behalf of a host and not the original client who is compromised that made the request.)  After locating which IPs are compromised you should wipe those PCs/Servers or at the very least clean with AV (though the later may leave undetectable software installed.)

but is the FP at least blocking the traffic? log is not very clear

Look for the "Inline Result" column.  A dark down arrow will show if it dropped the traffic.  A light down arrow will show if it would have dropped the traffic if "drop when inline" was enabled on your Intrusion policy.  You can highlight your mouse over the arrow to read what it did.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: