04-04-2013 11:59 PM
Hi
Since I upgraded to 5.0.3 from 4.1.10 I started getting such entry in Treat log:
Suspicious DNS Query (Backdoor.rshot:app.pou.me) 4009473 spyware medium drop-all-packets 74
Suspicious DNS Query (Downloader.fik:encyklopedia.eduteka.pl) 4008620 spyware medium drop-all-packets 31
Suspicious DNS Query (generic:stor1173.uploaded.net) 4014899 spyware medium drop-all-packets 26
Bot: Torpig Phone Home DNS request 12657 spyware medium drop-all-packets 276
Suspicious DNS Query (generic:www.tns-counter.ru) 4000032 spyware medium drop-all-packets 40
It's pointing to my two DNS servers for my local networks. I'm almost sure that this isnt a problem with this servers because last week was Eastern Christmas and during this time I never got such traffic. When my users back to work its started again.
Some of user's computers are in the same Zone as this two DNS servers. How in this case catch sources of this traffic?
For other network I will enable strict Tread profile on allow DNS traffic rules, I hope that this will give me information about real sources of this dns requests.
With regards
Slawek
10-24-2014 08:36 AM
Hi,
Please find the below document for the same.
DNS Sinkhole Process with Internal DNS Server
Regards,
Sarath
01-06-2015 04:08 PM
I have configured DNS sinkole, but it does not sinkhole these DNS requests (torpig):
Bot: Torpig Phone Home DNS request
12657
I believe sinkhole threat IDs can be between 4000000 and 4999999 on paloalto.
I don't know why torpig is not included.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
