Is it possible to look inside of the ATP pattern definitions Sophos UTM 9 uses? Are they similar to something you would use in snort? Starting last night we began to see tons of ATP notifications that appear to be DNS blocking related
2020:04:07-11:02:16 xxxx named[4420]: SERVFAIL unexpected RCODE resolving 'xxx.197.153.185.in-addr.arpa/PTR/IN': 194.85.61.76#53
2020:04:07-11:02:17 xxxx named[4420]: SERVFAIL unexpected RCODE resolving 'xxx.197.153.185.in-addr.arpa/PTR/IN': 109.70.26.37#53
2020:04:07-11:17:16 xxxx named[4420]: SERVFAIL unexpected RCODE resolving 'xxx.197.153.185.in-addr.arpa/PTR/IN': 194.85.61.76#53
2020:04:07-11:17:16 xxxx named[4420]: SERVFAIL unexpected RCODE resolving 'xxx.197.153.185.in-addr.arpa/PTR/IN': 109.70.26.37#53
2020:04:07-11:17:26 xxxx named[4420]: SERVFAIL unexpected RCODE resolving 'xxx.199.153.185.in-addr.arpa/PTR/IN': 194.85.61.76#53
2020:04:07-11:17:26 xxxx named[4420]: SERVFAIL unexpected RCODE resolving 'xxx.199.153.185.in-addr.arpa/PTR/IN': 109.70.26.37#53
DNS logs show:
Apr 7, 2020 @ 09:47:09.482 xxx 4/7/2020 9:47:09 AM 19E8 PACKET 00000264ACBF1D40 UDP Snd 8.8.8.8 8269 Q [0001 D NOERROR] A (3)ns3(13)rm-injinering(2)ru(0)
Apr 7, 2020 @ 09:47:09.482 xxx 4/7/2020 9:47:09 AM 0EC4 PACKET 00000264AF1FA4E0 UDP Snd 1.1.1.1 9d3d Q [0001 D NOERROR] A (3)ns2(7)expired(3)r01(2)ru(0)
still working on narrowing it down but i'd like to be able to see if this was just recently added say in the last 24 hours to the sophos pattern definitions
This thread was automatically locked due to age.
