Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 6 subscribers
  • Views 6223 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2\Generic A DNS traffic false positive ?

Guy Robertson

Hi folks, I have turned on the advanced threat protection on my UTM9, having done so I am now getting alot of alerts regading C2\Generic A traffic from my primary and seconday domain controllers, as normal these units are also our internal DNS hosts.

I have run the Sophos virus removal tool against both servers and they have come up clean, I have also tried to add the external DNS servers as exceptions and still getting alerts constantly (The DNS hosts are Google and telstra, our ISP and largest Telco in Australia) 

As you can see plenty of traffic is fine, however some is getting flagged

Thanks

Guy



This thread was automatically locked due to age.
  • 0

    Hi Guy,

    as i understand your setup some clients query your domain controllers and the domaincontroller will querry the external DNS.

     

    UTM has a DNS 'Proxy': explicite via 'network-services > DNS' and implicit/Inline via ATP/IPS

    UTM Checks every DNS Query routet through the utm for 'known as Malicious Hostnames' (eg. Command & Controll Servers, Malware Distribution Points) and for DNS Based Tunneling techniques.

     

    In your Setup the UTM only sees the Querys coming from the Domain Controllers (maybe their own querys maybe querys on behalf of some clients) if you see only a few of this drops keep calm maybe there was a banner advertise which wanted to load content from a bad server.

    If your log is spammed with this, you should first configure your Domaincontroller's DNS-Server to use UTM as DNS Forwarder (for more visibility in UTM Logs since the ATP log doesn't give insight in DNS Querys) then enable DNS Logging on your Domaincontroller's DNS-Server.

     

    Then you can search the UTM Logs for the blocked DNS Query and search the Domaincontroller DNS Log for the blocked Hostname to find the client who issued the query originaly.

     

    Yours Lukas

    lna@cema

    SCA (utm+xg), SCSE, SCT

    Sophos Platinum Partner

  • 0 in reply to lna

    Thanks Lucas, that sounds like some good advice. 

    I will configure the DNS proxy\forwarder and let you know how it goes. 

     

    Guy 

  • 0 in reply to Guy Robertson

    Hi Guy and welcome to the UTM Community!

    Lukas always gives great answers.  For a little background, you might want to read through DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML