tcpdump auf Sophos UMT - Linux Shell, How can I find a communication to IP 107.6.74.76. Are there other methods?

tcpdump

Hi Oliver,

the information in the ATP are sometimes misleading. First check the ATP Log (from the webadmin log sections or /var/log/aptp.log).

I guess your events are from a DNS reverse lookup for the IP 107.6.74.76 to your configured Google-DNS (8.8.8.8). In this case your tcpdump filter will not catch future attempts.

I have the same issue since days, and the log is not showing any valid information:

2023:07:01-17:07:54 firewall afcd[7105]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="8.8.8.8" dstip="Firewall External IP Address" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="107.6.74.76" url="-" action="drop"

Hello Mr. Oliver.
Did you find something or you thing is a false alarm?
I have the exact same alarm.  

Thank you in advance
Petrit

Your Firewall has dropped an answer from the Google DNS 8.8.8.8 which resolves a DNS-query to the IP 107.6.74.76 which is a known malware/attacking host.

You probably use the Firewall as recursive DNS resolver and have configured Google DNS 8.8.8.8 as DNS Forwarder (check Network Services->Global and Forwarders). So if one of your internal clients requests a DNS-name wich resolves to a bad IP the ATP in the Firewall gets that bad answer from the Forwarder and blocks it.

To find the client which originates this bad queries you can assign the Google DNS directly as DNS option in your DHCP server (depends on your setup, maybe only a good option for a guests-network).

Hello Josef
The problem is that I am trying to reproduce the same event by trying to attempt a domain that point to that bad IP address, and in any case I am able track the source IP. I can find the internal host from my DNS logs on my internal DNS server.
But when really happened I am not able to find the source.

I am trying everything since 2 months, but no result. 

Hi Petrit,

do I unterstand you right, you know the internal host with triggered the event, but you don't know which DNS-query or application on that host triggered it?

I would try to capture the traffic directly on that host with wireshark. In any case check that host with an offline malware tool.

No, I am not able to find the internal host.
Sophos Firewall is not showing the internall ip, just 8.8.8.8 that is trying to reply to the Firewall with the bad IP address (107.6.74.76)
I have collected all DNS logs from Domain Controller and there is no dns query that correspond that bad IP address.

2023:07:01-17:07:54 firewall afcd[7105]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="8.8.8.8" dstip="Firewall External IP Address" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="107.6.74.76" url="-" action="drop"

tcpdump is not showing anything when this event is triggered.

Does not need to be an internal host. If your firewall exposes services to the outside (say, SMTP Port 25) a reverse lookup is initiated on the firewall itself upon connection requests.

Hi Alan,
It is not SMTP, because when I am trying to reproduce SMTP is showing differently.