I wonder if anyone can help me clarify the following, we start receiving standard ATP alerts for the past month as per bellow, usually im able to investigate this alerts and they either are DNS recursive queries performed by out forwarders on Spam domain emails received and rejected by the SMTP proxy, or Web sessions hijack attempts trying to redirect traffic to malicious domains, but recently i been baffled by a a recurrent alert as bellow where im not able to make much sense, i parsed the logs for our SMTP proxy that shows traffic to a Tor node from what i can only assume being SMTP connections rejected by the UTM does anyone have any idea on this ?
A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Advanced Threat ProtectionDetails Total Events: 2 User/Host Threat Name Destination Events Origin 1 192.168.7.250 C2/Generic-A 126.96.36.199 2 192.168.7.250 C2/Generic-A 188.8.131.52
just letting you know that we are currently facing the exact same issue,
We previously thought this may be caused by someone in our network using the Tor Browser to avoid our webfilter (=> because the destination IP is a Tor exit node), but we couldn't confirm this.
One thing to mention: From my understanding it is not the traffic itself that is getting detected as suspicious, but the destination IP itself is.
Even if we just ping that external IP, we receive an ATP alert from the UTMs.
Our UTMs only show our internal DNS servers as the cause, which doesn't help.
We have enabled DNS logging on our DNS servers, and usually when the UTM finds something suspicious, I can find the source IP in those DNS logs - but not this time.
I went through a lot of logfiles - could you please check your UTM's IPS logfiles? Ours shows "ICMP flood detected" action="ICMP flood" where the destination IP is our mailserver's WAN interface. - But I'm not sure if this is related.
Sorry I can't help you, but you are not alone with this problem.
Thanks for your input, i do believe that this are random probing and vuln scans being performed by hosts in the Tor subnet looking for potential ports or services exposed, this happens on a daily basis and most of Network admins are not aware as Firewalls or edge protection devices rebuke this probing attempts as we expect them to do, due to the ATP triggering an alert is what put us on alert mode but as long the UTM drops traffic , and all our external services or ports are not exposed i believe we are fine.
The only thing wrong here is that traffic originating from the Tor shouldn't be allowed to use public DNS resolvers or Tor Dns should be restricted to their own Dns subnet and not touch the open common Dns resolvers
It's confusing when you don't just copy the full log lines here.
Cheers - Bob
Balfson, i never had to dissect the ATP full log lines, so not to sure how to fetch. Does it requires SSH ? If so what are the inputs