Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 1386 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 ATP - Verständnisproblem: named, afcd

Marc

Hallo zusammen,

leider habe ich ein Verständnisproblem bei folgenden Einträgen in unserem ATP Log:

2022:07:05-00:29:04 vpn-1 named[6243]: rpz: client @0xba730d8 10.0.5.2#56756 (mail.cba.pl): view default: rpz IP NXDOMAIN rewrite mail.cba.pl via 32.65.144.211.95.rpz-ip.rpz
2022:07:05-00:29:04 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:07 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:10 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:13 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:15 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:18 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:21 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"
2022:07:05-00:29:24 vpn-1 afcd[6509]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="10.0.7.40" dstip="10.0.5.19" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="95.211.144.65" url="-" action="drop"

Zum Verständnis:
10.0.5.2 = Interner DNS Server
10.0.5.19 = Interner DNS Server
10.0.7.40 = Interner Application Server

Was genau passiert hier?

Die afcd Einträge interpretiere ich wie folgt:

Der interne Server srcip="10.0.7.40" fragt internen DNS Server dstip="10.0.5.19" zur Auflösung von Externer IP host="95.211.144.65"  an.

Ist das soweit korrekt?

Aber was genau passiert in der ersten Zeile: named[6243]: rpz: client @0xba730d8
Damit kann ich überhaupt nichts anfangen.

Ich hoffe jemand kann mich hier in die richtige Richtung schubsen.



This thread was automatically locked due to age.
Parents Reply Children
No Data
Unfiltered HTML