One day FirePOWER IPS alerts went quiet for some time and I got concerned if IPS engine or my reporting tool were malfunctioning. I started looking online for a quick way to check it but surprisingly did not find anything useful. I needed something simple and quick. I did not want to enable or modify any production rules just for that. Inbound trigger seems to be problematic because not always services are open in specific direction so I thought outbound check would be easier to accomplish.
Going through my history of triggered alerts I found this one INDICATOR-COMPROMISE Suspicious .pw dns query – Rule 1:28039:6. This rule got triggered when suspicious domain query was send from internal DNS server to external and was traversing FirePOWER module.
In IPS Events hostory I found a query for suspicious domain (jamloop.zrbcn.pw) and all I needed to do is run nslookup on it from internal machine.
>nslookup
Do not forget to change DNS server to public one
> server 8.8.8.8
Default Server: google-public-dns-a.google.com
Address: 8.8.8.8
> jamloop.zrbcn.pw
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name: jamloop.zrbcn.pw
Addresses: 198.211.110.157
138.197.37.225
And now on FMC under Analysis > Intrusions > Events you should see new event popup indicating all is well with IPS engine.
