Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 5479 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM ATP

zeus1976

Hello,

I have received the following ATP Message:

op  
Source IP  
Destination IP  
Threat  
Origin  
First seen  
Src. Hosts  
%  
Events  
%  
1
192.168.xx.xx
budgetsexamples.com
C2/Generic-A
DNS
2018-04-10 11:29:50
1
50.00

This message has been triggered by open the homepage. No virus has been found with the Antivirus. DNS is the firewall and showing to OpenDNS IP's.

Do I have a risk? Should i check something else? Thank you for your help.

Best regards



This thread was automatically locked due to age.
Parents
  • 0

    Hallo,

    Do you see anything in the ATP or Intrusion Prevention log?  What is the target IP of the DNS request?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thank you for the replay.

    ATP Log:
    2018:04:10-11:29:50 home named[4563]: rpz: client 192.168.xxx.17#63785 (budgetsexamples.com): view default: rpz QNAME NXDOMAIN rewrite budgetsexamples.com via budgetsexamples.com.rpz

    Intrusion Prevention:
    No Log

    Do you see a security issue or is it a false positv? Thank you for the help.

    Best regards

  • 0 in reply to zeus1976

    What does the DNS log say was the IP of the name server requested?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Here the Log from the DNS:

    2018:04:10-11:02:02 homesite named[4563]: lame server resolving '55.20.46.121.in-addr.arpa' (in '20.46.121.in-addr.arpa'?): 125.94.214.36#53
2018:04:10-11:17:02 homesite named[4563]: lame server resolving '55.20.46.121.in-addr.arpa' (in '20.46.121.in-addr.arpa'?): 125.94.214.36#53
2018:04:10-11:29:50 homesite named[4563]: rpz: client 192.168.xx.xx#63785 (budgetsexamples.com): view default: rpz QNAME NXDOMAIN rewrite budgetsexamples.com via budgetsexamples.com.rpz
2018:04:10-11:30:00 homesite named[4563]: rpz: client 192.168.xx.xx#55587 (budgetsexamples.com): view default: rpz QNAME NXDOMAIN rewrite budgetsexamples.com via budgetsexamples.com.rpz
2018:04:10-11:32:03 homesite named[4563]: lame server resolving '55.20.46.121.in-addr.arpa' (in '20.46.121.in-addr.arpa'?): 125.94.214.36#53

    But at the moment I don't see the IP of the name server requested on the same time when the ATP was alerting - how can I see the IP of the name server requested? In the DNS I have configured the OpenDNS Server not the relay from the ISP. Thank you for your help.

    Best regards

  • 0 in reply to zeus1976

    Hi Bob,

    Do you need more Information? Do you see a security issue or is it a false positv? Thank you for the help.

    Best regards

Reply Children
No Data
Unfiltered HTML