Is Snort warning of an exploit on our network?
MilesDeep last edited by
From time to time Snort will not allow any external DNS to be used from our Internet network. Internet browsing is shutdown. Can I assume that Snort is finding a legitimate threat? I see some chatter on NTOP that indicates communication with unknown servers via snmp. Can someone assist with some thoughts on what may be happening here? I'd appreciate it. The blocked hosts log table is below. Any insight is greatly appreciated.
IP Alert Description
220.127.116.11 INDICATOR-COMPROMISE Suspicious .pw dns query
ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related -
18.104.22.168 INDICATOR-COMPRIMISE Suspicious .pw dns query -
fsansfil last edited by
The alerts are just DNS queries for .pw and .su domains. Often related to torrents webpages, like piratebay.su. You also need to make sure your dns servers, specially 22.214.171.124 is in your HOME_NET of your Snort interface, otherwise if you chose block offenders and select "both" in the which IP to block, your DNS server will get block with those alerts, therefore not allowing any external DNS…. Check if your DNS servers are in the blocked tab of your snort interface.
As for the SNMP, make sure your firewall is configure with some permission to access this service, only allowing your specific IP.