ET POLICY External IP Domain lookup

cybersec_s

ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup). I use OpenDNS forname resolution on a lab pc. is this a false positive.if so,I would like to unblock the ip address

NogBadTheBad

@cybersec_s Find the rule and disable it:-

Screenshot 2023-01-26 at 20.34.12.png

bmeeks

@cybersec_s said in ET POLICY External IP Domain lookup:

ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup). I use OpenDNS forname resolution on a lab pc. is this a false positive.if so,I would like to unblock the ip address

You are the IDS/IPS security admin, so it's up to you to make the call on false positive or not. But just for your general info, the ET POLICY and ET INFO rule categories should generally never be used for blocking in a home network - especially the ET INFO category. By the very nature of the name (INFO), those rules are designed to make the admin aware of certain traffic types in the network, but not to judge such traffic as necessarily bad or malicious.

The ET POLICY category is designed more for large corporate customers who have particular web utilization policies they wish to enforce. For example, let's say I am a Fortune 500 corporation and a Microsoft Windows shop. I may have some critical internal applications - perhaps even custom in-house developed ones. I might not want my company users automatically downloading and installing updates from Windows Update. I might prefer a process where the company maintains its own WSUS environment where Microsoft updates are posted and then local clients update only from there. That way the updates can be tested and vetted against critical company software apps before widespread deployment. In such a scenario, I would want the ET POLICY rules to alert me (or perhaps block the attempt) when a company machine attempted to download updates directly from Microsoft. But in a typical home or Small Office environment, I want my clients to pull updates from Microsoft, so many of the rules in ET POLICY would generate needless alerts or nuisance blocks.

Of course the ET POLICY category can contain "bad" or NSFW detection rules as well. I may want to use some of those. That's why you always tune the enabled rules, even within a given Category, for the specific network threats you want to protect against. "Tuning" means the admin selectively enabling or disabling particular rule signatures (SIDs) depending on the threat the rule is designed to detect and the vulnerabilities present in the local network. IDS/IPS administration is hard work , and requires almost daily interaction and maintenance by the administrator.

cybersec_s

@bmeeks Thanks for the explanation. I found it very useful and Im sure anyone reading this will also. your usecase, I feel was spot on. Thank you

cybersec_s

@nogbadthebad Thank you. I beleived this was an alert I could disable or supress but didn't want to do it until I know more about the alert. thank you. My Google searches did not result in good explinations.