Hallo zusammen,
leider habe ich ein Verständnisproblem bei folgenden Einträgen in unserem ATP Log:
2022:07:05-00:29:04 vpn-1 named[6243]: rpz: client @0xba730d8 10.0.5.2#56756 (mail.cba.pl): view default: rpz IP NXDOMAIN rewrite mail.cba.pl via 32.65.144.211.95.rpz-ip.rpz
2022:07:05-00:29:04 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:07 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:10 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:13 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:15 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:18 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:21 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:24 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
Zum Verständnis:10.0.5.2
= Interner DNS Server10.0.5.19
= Interner DNS Server10.0.7.40
= Interner Application Server
Was genau passiert hier?
Die afcd Einträge interpretiere ich wie folgt:
Der interne Server srcip="10.0.7.40"
fragt internen DNS Server dstip="10.0.5.19" zur Auflösung von Externer IP host="95.211.144.65"
an.
Ist das soweit korrekt?
Aber was genau passiert in der ersten Zeile: named[6243]: rpz: client @0xba730d8
Damit kann ich überhaupt nichts anfangen.
Ich hoffe jemand kann mich hier in die richtige Richtung schubsen.
This thread was automatically locked due to age.