Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1162
Views
10
Helpful
3
Replies

IPS/IDS - Firepower ( Intrusions Events )

JRDIAZ758
Beginner
Beginner

‎08-17-2018 07:15 AM - edited ‎03-12-2019 06:53 AM

we are seeing a lot of the messages below when looking at the reports, Does anyone know what they mean? do we need to take any action

 

Cleared DELETED BLACKLIST DNS request for known malware domain  

 

image.png

 

Labels:
Preview file
82 KB
0 Helpful
3 Replies 3

Greg Smalley
Beginner
Beginner

‎08-23-2018 07:51 AM

You may have a compromised host as it appears a computer on your network is making requests to known Malware domains.  First you need to find out which hosts are making these requests.  Analysis->Intrusion Events should show you the events in question. (Be aware that it may show your local DNS server making the request on behalf of a host and not the original client who is compromised that made the request.)  After locating which IPs are compromised you should wipe those PCs/Servers or at the very least clean with AV (though the later may leave undetectable software installed.)