Question about Alerts from IDS/IPS [Closed]

Started by pankaj, September 11, 2021, 07:25:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 11, 2021, 07:25:02 PM Last Edit: September 11, 2021, 07:47:45 PM by pankaj
Hi,

I am running a dedicated VLAN for guest wifi and have just turned on IPS with all ET Pro rules enabled. In the alerts I see following log:

Code Select
2021-09-11T09:49:59.485364-0700 2014939 allowed 192.168.4.17 44574 192.168.4.1 53 ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR

So seems like there is a client machine with IP (192.168.4.17) making a DNS query but in the DHCP leases I do not see any entry for the IP address 192.168.4.17. Interestingly I am able to ping 192.168.4.17 from the console of OPNSense shell.

I am just trying to make sense of this log and any pointers will be helpful.

Thanks.
September 11, 2021, 07:47:26 PM #1
I did a nmap with verbosity and turns out it was my own laptop which I have assigned a static IP for testing few weeks back!
Print
Go Up Pages1
User actions