is just that, IPS McAfee, appear like infected for other IPS, because send a query with a domain infected.(accord black lists)
I wanted to take advantage of knowing the dns resolution mechanism. the ips make their own inquiries by internal resolutions? ( or resend queries from internal communications?)
I,m Sorry...? Are you saying that your Personal ( Site ) Rating is considered 'Unsafe'? Or are you saying that you have a infection that needs removing?
the ips is "guilty" with the infection for send a query (dns) with a domain matching an a black list.
the question is ... the ips do any internal resolution? example: (créate an acl o rule, which need a resolution)
nop, the dns is internal for this reason the matches maybe come from the IPS or from the host. that is the question.... who can create the query ( or if sometimes the IPS(own) can create any query that catch the other IPS)
host --------> dns | ---------------> IPS(mcafe) ------------IPS(catch signature) ----> | DNS external
query (evil.com is bad guy) |
(evil.com) -------| |--------------
1 of 1 people found this helpful
jcrespo, all this talk about ISP and domain resolution, I think this properly belongs in the Business section.
The thread has been moved from Malware Discussion to Business --> Network Security --> Network Security Platform (NSP, NIPS, NAC, NTBA) for attention.
To Business Moderators : please move again if necessary to the correct Business sub-section.
The IPS sensor will only do reputation lookups to the sites listed on this article: McAfee KnowledgeBase - Ports and traffic destinations used by Network Security Platform
However, looking at your diagram, you are referring to the monitored traffic. The sensor lookup would be via the sensor's management port, which would not be inline with your other IPS based on your drawing. Also the McAfee IPS sensor is completely transparent on the network, so the DNS lookup from the internal source would go through it to your other IPS, which should alert on malicous DNS lookup with source IP your internal host.
Hope this helps... if this doesn't then please provide more details - i.e. IP Addresses of your hosts, alerts, dns domain that triggered the alert, etc.