This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic from Up2Date Servers in Log?

Hallo evereybody,

Today I received the Daily Executive Report and found on the list of TOP10 Servers the following entry:

175.41.169.159 ec2-175-41-169-159.ap-southeast-1.compute.amazonaws.com 370 208 354.4 MB


I searched all the logs but couldn't find this domain name or ip address anywhere. I really don't know what the source of this traffic could be.

Is it possible that this traffic is generated by the ASG itself? Does this domain/IP reffer to the Up2Date servers?

Yesterday there were 16 successfull pattern updates. This means that one update is about 22 MB large. Is this true?

Thanks,
Stephan


This thread was automatically locked due to age.
Parents
  • Somewhere I found the hint that Avira uses Amazon Web Services to host there anti virus patterns.

    I bet you've discovered the answer.  I thought those patterns came to us via Astaro servers, but maybe that's just the ClamAV signatures.  Our Astaro gets about 10MB a day from ec2-75-101-226-191.compute-1.amazonaws.com.

    Then again, I'm seeing about 20MB/day of traffic outbound to Amazon IPs, so I wonder if that isn't the HTTP Proxy requesting classifications for URLs from TrustedSource, and the in-bound traffic above the responses.  I wonder if RWeiss isn't seeing outbound request traffic to TrustedSource.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Somewhere I found the hint that Avira uses Amazon Web Services to host there anti virus patterns.

    I bet you've discovered the answer.  I thought those patterns came to us via Astaro servers, but maybe that's just the ClamAV signatures.  Our Astaro gets about 10MB a day from ec2-75-101-226-191.compute-1.amazonaws.com.

    Then again, I'm seeing about 20MB/day of traffic outbound to Amazon IPs, so I wonder if that isn't the HTTP Proxy requesting classifications for URLs from TrustedSource, and the in-bound traffic above the responses.  I wonder if RWeiss isn't seeing outbound request traffic to TrustedSource.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • When I blocked this address I saw the following every 4 hours to the second (not 2 hours as I stated earlier) in my PF log.  This is not user generated traffic and up2date log looks normal during the day I had that address blocked.

    2010:07:12-10:36:02 astarohome ulogd[4396]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" outitf="eth1" srcmac="0:2:b3:28:1b:53" srcip="***.***.84.79" dstip="175.41.169.159" proto="17" length="40" tos="0x00" prec="0x00" ttl="15" srcport="52180" dstport="33435" 
    2010:07:12-10:36:02 astarohome ulogd[4396]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" outitf="eth1" srcmac="0:2:b3:28:1b:53" srcip="***.***.84.79" dstip="175.41.169.159" proto="17" length="40" tos="0x00" prec="0x00" ttl="8" srcport="52180" dstport="33437" 
    2010:07:12-10:36:02 astarohome ulogd[4396]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" outitf="eth1" srcmac="0:2:b3:28:1b:53" srcip="***.***.84.79" dstip="175.41.169.159" proto="17" length="40" tos="0x00" prec="0x00" ttl="4" srcport="52180" dstport="33438" 
    2010:07:12-10:36:02 astarohome ulogd[4396]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" outitf="eth1" srcmac="0:2:b3:28:1b:53" srcip="***.***.84.79" dstip="175.41.169.159" proto="17" length="40" tos="0x00" prec="0x00" ttl="2" srcport="52180" dstport="33439" 
    2010:07:12-10:36:02 astarohome ulogd[4396]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" outitf="eth1" srcmac="0:2:b3:28:1b:53" srcip="***.***.84.79" dstip="175.41.169.159" proto="17" length="40" tos="0x00" prec="0x00" ttl="1" srcport="52180" dstport="33440" 


    I would just like to be sure what this is.

    Rick
  • This is a avira update ip that up2date uses but there is a issue with it I am working with tech on this hope I find something out as my traffic is more like 3.6GB in one day

    Russ
  • Please let us know if you get this resolved. I am seeing 4-5 GB of traffic to this URL everyday