Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 1385 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 ATP - Verständnisproblem: named, afcd

Marc

Hallo zusammen,

leider habe ich ein Verständnisproblem bei folgenden Einträgen in unserem ATP Log:

2022:07:05-00:29:04 vpn-1 named[6243]: rpz: client @0xba730d8 10.0.5.2#56756 (mail.cba.pl): view default: rpz IP NXDOMAIN rewrite mail.cba.pl via 32.65.144.211.95.rpz-ip.rpz
2022:07:05-00:29:04 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:07 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:10 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:13 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:15 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:18 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:21 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:24 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"

Zum Verständnis:
10.0.5.2 = Interner DNS Server
10.0.5.19 = Interner DNS Server
10.0.7.40 = Interner Application Server

Was genau passiert hier?

Die afcd Einträge interpretiere ich wie folgt:

Der interne Server srcip="10.0.7.40" fragt internen DNS Server dstip="10.0.5.19" zur Auflösung von Externer IP host="95.211.144.65"  an.

Ist das soweit korrekt?

Aber was genau passiert in der ersten Zeile: named[6243]: rpz: client @0xba730d8
Damit kann ich überhaupt nichts anfangen.

Ich hoffe jemand kann mich hier in die richtige Richtung schubsen.



This thread was automatically locked due to age.
Unfiltered HTML