This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic from Up2Date Servers in Log?

Hallo evereybody,

Today I received the Daily Executive Report and found on the list of TOP10 Servers the following entry:

175.41.169.159 ec2-175-41-169-159.ap-southeast-1.compute.amazonaws.com 370 208 354.4 MB


I searched all the logs but couldn't find this domain name or ip address anywhere. I really don't know what the source of this traffic could be.

Is it possible that this traffic is generated by the ASG itself? Does this domain/IP reffer to the Up2Date servers?

Yesterday there were 16 successfull pattern updates. This means that one update is about 22 MB large. Is this true?

Thanks,
Stephan


This thread was automatically locked due to age.
Parents
  • Somewhere I found the hint that Avira uses Amazon Web Services to host there anti virus patterns.

    I bet you've discovered the answer.  I thought those patterns came to us via Astaro servers, but maybe that's just the ClamAV signatures.  Our Astaro gets about 10MB a day from ec2-75-101-226-191.compute-1.amazonaws.com.

    Then again, I'm seeing about 20MB/day of traffic outbound to Amazon IPs, so I wonder if that isn't the HTTP Proxy requesting classifications for URLs from TrustedSource, and the in-bound traffic above the responses.  I wonder if RWeiss isn't seeing outbound request traffic to TrustedSource.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • When I blocked this address I saw the following every 4 hours to the second (not 2 hours as I stated earlier) in my PF log.  This is not user generated traffic and up2date log looks normal during the day I had that address blocked.

    2010:07:12-10:36:02 astarohome ulogd[4396]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" outitf="eth1" srcmac="0:2:b3:28:1b:53" srcip="***.***.84.79" dstip="175.41.169.159" proto="17" length="40" tos="0x00" prec="0x00" ttl="15" srcport="52180" dstport="33435" 
    2010:07:12-10:36:02 astarohome ulogd[4396]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" outitf="eth1" srcmac="0:2:b3:28:1b:53" srcip="***.***.84.79" dstip="175.41.169.159" proto="17" length="40" tos="0x00" prec="0x00" ttl="8" srcport="52180" dstport="33437" 
    2010:07:12-10:36:02 astarohome ulogd[4396]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" outitf="eth1" srcmac="0:2:b3:28:1b:53" srcip="***.***.84.79" dstip="175.41.169.159" proto="17" length="40" tos="0x00" prec="0x00" ttl="4" srcport="52180" dstport="33438" 
    2010:07:12-10:36:02 astarohome ulogd[4396]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" outitf="eth1" srcmac="0:2:b3:28:1b:53" srcip="***.***.84.79" dstip="175.41.169.159" proto="17" length="40" tos="0x00" prec="0x00" ttl="2" srcport="52180" dstport="33439" 
    2010:07:12-10:36:02 astarohome ulogd[4396]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" outitf="eth1" srcmac="0:2:b3:28:1b:53" srcip="***.***.84.79" dstip="175.41.169.159" proto="17" length="40" tos="0x00" prec="0x00" ttl="1" srcport="52180" dstport="33440" 


    I would just like to be sure what this is.

    Rick
Reply
  • When I blocked this address I saw the following every 4 hours to the second (not 2 hours as I stated earlier) in my PF log.  This is not user generated traffic and up2date log looks normal during the day I had that address blocked.

    2010:07:12-10:36:02 astarohome ulogd[4396]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" outitf="eth1" srcmac="0:2:b3:28:1b:53" srcip="***.***.84.79" dstip="175.41.169.159" proto="17" length="40" tos="0x00" prec="0x00" ttl="15" srcport="52180" dstport="33435" 
    2010:07:12-10:36:02 astarohome ulogd[4396]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" outitf="eth1" srcmac="0:2:b3:28:1b:53" srcip="***.***.84.79" dstip="175.41.169.159" proto="17" length="40" tos="0x00" prec="0x00" ttl="8" srcport="52180" dstport="33437" 
    2010:07:12-10:36:02 astarohome ulogd[4396]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" outitf="eth1" srcmac="0:2:b3:28:1b:53" srcip="***.***.84.79" dstip="175.41.169.159" proto="17" length="40" tos="0x00" prec="0x00" ttl="4" srcport="52180" dstport="33438" 
    2010:07:12-10:36:02 astarohome ulogd[4396]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" outitf="eth1" srcmac="0:2:b3:28:1b:53" srcip="***.***.84.79" dstip="175.41.169.159" proto="17" length="40" tos="0x00" prec="0x00" ttl="2" srcport="52180" dstport="33439" 
    2010:07:12-10:36:02 astarohome ulogd[4396]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" outitf="eth1" srcmac="0:2:b3:28:1b:53" srcip="***.***.84.79" dstip="175.41.169.159" proto="17" length="40" tos="0x00" prec="0x00" ttl="1" srcport="52180" dstport="33440" 


    I would just like to be sure what this is.

    Rick
Children