Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1707
Views
10
Helpful
3
Replies

IPS/IDS - Firepower ( Intrusions Events )

JRDIAZ758
Level 1
Level 1

‎08-17-2018 07:15 AM - edited ‎03-12-2019 06:53 AM

we are seeing a lot of the messages below when looking at the reports, Does anyone know what they mean? do we need to take any action

 

Cleared DELETED BLACKLIST DNS request for known malware domain  

 

image.png

 

Labels:
Preview file
82 KB
0 Helpful
3 Replies 3

Greg Smalley
Level 1
Level 1

‎08-23-2018 07:51 AM

You may have a compromised host as it appears a computer on your network is making requests to known Malware domains.  First you need to find out which hosts are making these requests.  Analysis->Intrusion Events should show you the events in question. (Be aware that it may show your local DNS server making the request on behalf of a host and not the original client who is compromised that made the request.)  After locating which IPs are compromised you should wipe those PCs/Servers or at the very least clean with AV (though the later may leave undetectable software installed.)

JRDIAZ758
Level 1
Level 1
In response to Greg Smalley

‎08-23-2018 07:55 AM

but is the FP at least blocking the traffic? log is not very clear

0 Helpful

Greg Smalley
Level 1
Level 1
In response to JRDIAZ758

‎08-23-2018 08:17 AM

Look for the "Inline Result" column.  A dark down arrow will show if it dropped the traffic.  A light down arrow will show if it would have dropped the traffic if "drop when inline" was enabled on your Intrusion policy.  You can highlight your mouse over the arrow to read what it did.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card