UTM9 ATP - Verständnisproblem: named, afcd

Question

Hallo zusammen, 
 leider habe ich ein Verst&auml;ndnisproblem bei folgenden Eintr&auml;gen in unserem ATP Log: 
 2022:07:05-00:29:04 vpn-1 named[6243]: rpz: client @0xba730d8 10.0.5.2#56756 (mail.cba.pl): view default: rpz IP NXDOMAIN rewrite mail.cba.pl via 32.65.144.211.95.rpz-ip.rpz 2022:07:05-00:29:04 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop" 2022:07:05-00:29:07 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop" 2022:07:05-00:29:10 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop" 2022:07:05-00:29:13 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop" 2022:07:05-00:29:15 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop" 2022:07:05-00:29:18 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop" 2022:07:05-00:29:21 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop" 2022:07:05-00:29:24 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop" 
 Zum Verst&auml;ndnis: 10.0.5.2 = Interner DNS Server 10.0.5.19 = Interner DNS Server 10.0.7.40 = Interner Application Server 
 Was genau passiert hier? 
 Die afcd Eintr&auml;ge interpretiere ich wie folgt: 
 Der interne Server srcip="10.0.7.40" fragt internen DNS Server dstip="10.0.5.19" zur Aufl&ouml;sung von Externer IP host="95.211.144.65" an. 
 Ist das soweit korrekt? 
 Aber was genau passiert in der ersten Zeile: named[6243]: rpz: client @0xba730d8 Damit kann ich &uuml;berhaupt nichts anfangen. 
 Ich hoffe jemand kann mich hier in die richtige Richtung schubsen.

Vivek Jagad · Accepted Answer

Halo Marc , Vielen Dank, dass Sie sich an die Community gewandt haben. Bitte lesen Sie den Knowledge Base-Artikel zu Informationen zu C2/Generic-Erkennungen - https://support.sophos.com/support/s/article/KB-000038395?language=en_US

UTM9 ATP - Verständnisproblem: named, afcd

Top Replies