Thread Info
  • State Suggested Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 42 replies
  • Answers 1 answer
  • Subscribers 13 subscribers
  • Views 13401 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP Alerts Tor Exit Nodes

COMODDORE

Hi All,

I wonder if anyone can help me clarify the following, we start receiving standard ATP alerts for the past month as per bellow, usually im able to investigate this alerts and they either are DNS recursive queries performed by out forwarders on Spam domain emails  received and rejected by the SMTP proxy, or Web sessions hijack attempts trying to redirect traffic to malicious domains, but recently i been baffled by a a recurrent alert as bellow where im not able to make much sense, i parsed the logs for our SMTP proxy that shows traffic to a Tor node from what i can only assume being SMTP connections rejected by the UTM  does anyone have any idea on this ?

2021:10:27-12:50:55 srvutm-1 exim-in[8916]: 2021-10-27 12:50:55 SMTP connection from [185.220.100.254]:31034 (TCP/IP connection count = 4)
2021:10:27-12:50:57 srvutm-1 exim-in[23862]: 2021-10-27 12:50:57 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:31034 SSL_accept: TCP connection closed by peer
2021:10:27-12:50:57 srvutm-1 exim-in[8916]: 2021-10-27 12:50:57 SMTP connection from [185.220.100.254]:32560 (TCP/IP connection count = 4)
2021:10:27-12:51:01 srvutm-1 exim-in[23909]: 2021-10-27 12:51:01 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:32560 SSL_accept: TCP connection closed by peer
2021:10:27-17:12:32 srvutm-1 exim-in[8916]: 2021-10-27 17:12:32 SMTP connection from [185.220.100.254]:14154 (TCP/IP connection count = 2)
2021:10:27-17:12:33 srvutm-1 exim-in[5631]: 2021-10-27 17:12:33 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:14154 SSL_accept: TCP connection closed by peer
2021:10:29-03:34:26 srvutm-1 exim-in[6731]: 2021-10-29 03:34:26 SMTP connection from [185.220.100.254]:22392 (TCP/IP connection count = 1)
2021:10:29-03:34:28 srvutm-1 exim-in[18207]: 2021-10-29 03:34:28 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:22392 SSL_accept: TCP connection closed by peer

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Advanced Threat ProtectionDetails
Total Events: 2
User/Host Threat Name Destination Events Origin
1 192.168.7.250 C2/Generic-A 185.220.100.254 
2 192.168.7.250 C2/Generic-A 185.220.100.254 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Balfson

    The ATP reports the standard, a threat has been detected as per bellow

    A threat has been detected in your network
    The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

    Details about the alert:

    Threat name....: C2/Generic-A
    Details........: www.sophos.com/.../C2~Generic-A.aspx
    Time...........: 2021-10-27 12:50
    Traffic blocked: yes

    1
    192.168.7.250
    185.220.100.254
    C2/Generic-A
    AFCd
    2021-10-27 12:50:49
    1
    7.14
    1
    7.14
    2
    192.168.7.250
    185.220.100.254
    C2/Generic-A
    AFCd
    2021-10-27 12:50:49
    1
    7.14
    1
    7.14

    The traffic then points to our  DNS forwarder: ( AFCd UDP C2/Generic-A 192.168.7.250 →1.1.1.1)  after parsing the logs from our internal DNS server i can see the requests from our UTM to the Exit node going through our external DNS forwarders, but no idea to what is causing the UTM to contact the Node, my idea initially was based on a DNS query on an Spam email received by the SMTP proxy but not entirely sure... 


    07FC PACKET 000000B9471601E0 UDP Rcv 192.168.7.254 c213 Q [0001 D NOERROR] A (10)tor-exit-3(4)zbau(7)f3netze(2)de(0)

    07FC PACKET 000000B946134120 UDP Snd 1.1.1.1 0735 Q [0001 D NOERROR] A (10)tor-exit-3(4)zbau(7)f3netze(2)de(0)

     0678 PACKET 000000B946134120 UDP Snd 1.0.0.1 0735 Q [0001 D NOERROR] A (10)tor-exit-3(4)zbau(7)f3netze(2)de(0)

  • 0 in reply to COMODDORE

    May we see the relevant log lines from the ATP log?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
  • 0 in reply to BAlfson

    Balfson,

    This are the most up to date logs of a fresh incident, as per the SMTP proxy the utm is rejecting a connection from a tor node, that im trying to decipher why the constant attempt connections, as we have no internal hosts using mail servers 

    SMTP PROXY
    2021:11:07-06:43:35 srvutm-1 exim-in[6731]: 2021-11-07 06:43:35 SMTP connection from [185.220.100.243]:4524 (TCP/IP connection count = 2)
    2021:11:07-06:43:50 srvutm-1 exim-in[4881]: 2021-11-07 06:43:50 SMTP connection from tor-exit-16.zbau.f3netze.de [185.220.100.243]:4524 lost D=14s


    ATP
    192.168.200.104 C2/Generic-A 185.220.100.243 192.168.7.250 C2/Generic-A 185.220.100.243
    192.168.200.103 C2/Generic-A 185.220.100.243
    192.168.200.113 C2/Generic-A 185.220.100.243
    192.168.200.104 C2/Generic-A 185.220.100.243
    192.168.7.250 C2/Generic-A 185.220.100.243
    192.168.200.103 C2/Generic-A 185.220.100.243 192.168.200.113 C2/Generic-A 185.220.100.243


    ATP LIVE LOG

    06:43:40 AFCd UDP C2/Generic-A
    192.168.200.103

    1.0.0.1
    drop
    06:43:40 AFCd UDP C2/Generic-A
    192.168.200.113

    1.1.1.1
    drop
    06:43:42 AFCd UDP C2/Generic-A
    192.168.7.250

    1.0.0.1
    drop
    06:43:43 AFCd UDP C2/Generic-A
    192.168.200.104

    1.0.0.1
    drop
    06:43:47 AFCd UDP C2/Generic-A
    192.168.200.103

    1.1.1.1
    drop
    06:43:48 AFCd UDP C2/Generic-A
    192.168.7.250

    1.1.1.1
    drop
    06:43:49 AFCd UDP C2/Generic-A
    192.168.200.104

    1.1.1.1
    drop
    06:43:51 AFCd UDP C2/Generic-A
    192.168.200.103

    1.0.0.1
    drop
    06:43:52 AFCd UDP C2/Generic-A
    192.168.7.250

    1.0.0.1
    drop
    06:43:52 AFCd UDP C2/Generic-A
    192.168.200.104

    1.0.0.1
    drop

Unfiltered HTML