Thread Info
  • State Suggested Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 42 replies
  • Answers 1 answer
  • Subscribers 13 subscribers
  • Views 13318 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP Alerts Tor Exit Nodes

COMODDORE

Hi All,

I wonder if anyone can help me clarify the following, we start receiving standard ATP alerts for the past month as per bellow, usually im able to investigate this alerts and they either are DNS recursive queries performed by out forwarders on Spam domain emails  received and rejected by the SMTP proxy, or Web sessions hijack attempts trying to redirect traffic to malicious domains, but recently i been baffled by a a recurrent alert as bellow where im not able to make much sense, i parsed the logs for our SMTP proxy that shows traffic to a Tor node from what i can only assume being SMTP connections rejected by the UTM  does anyone have any idea on this ?

2021:10:27-12:50:55 srvutm-1 exim-in[8916]: 2021-10-27 12:50:55 SMTP connection from [185.220.100.254]:31034 (TCP/IP connection count = 4)
2021:10:27-12:50:57 srvutm-1 exim-in[23862]: 2021-10-27 12:50:57 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:31034 SSL_accept: TCP connection closed by peer
2021:10:27-12:50:57 srvutm-1 exim-in[8916]: 2021-10-27 12:50:57 SMTP connection from [185.220.100.254]:32560 (TCP/IP connection count = 4)
2021:10:27-12:51:01 srvutm-1 exim-in[23909]: 2021-10-27 12:51:01 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:32560 SSL_accept: TCP connection closed by peer
2021:10:27-17:12:32 srvutm-1 exim-in[8916]: 2021-10-27 17:12:32 SMTP connection from [185.220.100.254]:14154 (TCP/IP connection count = 2)
2021:10:27-17:12:33 srvutm-1 exim-in[5631]: 2021-10-27 17:12:33 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:14154 SSL_accept: TCP connection closed by peer
2021:10:29-03:34:26 srvutm-1 exim-in[6731]: 2021-10-29 03:34:26 SMTP connection from [185.220.100.254]:22392 (TCP/IP connection count = 1)
2021:10:29-03:34:28 srvutm-1 exim-in[18207]: 2021-10-29 03:34:28 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:22392 SSL_accept: TCP connection closed by peer

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Advanced Threat ProtectionDetails
Total Events: 2
User/Host Threat Name Destination Events Origin
1 192.168.7.250 C2/Generic-A 185.220.100.254 
2 192.168.7.250 C2/Generic-A 185.220.100.254 



This thread was automatically locked due to age.
  • 0 in reply to Marius Galm

    Not sure I "see" that, Marius.  Are your DNS servers in a DMZ and can they reach the outside world without the traffic passing through the UTM?  Also, confirm they don't have the UTM listed as one of their forwarders.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    No forwarders at all configured on the DNS servers, they are resolving using recursion and the root servers.

    The traffic is passing the UTM but not using it's internal resolver.

  • 0

    Have got the same "problem" for a while now. exactly the same as all described. every now and then we get ATP messages heading to our DNS servers, showing dns requests to tor-exit servers.

    Only thing I want to add, within the DNS server log there are a couple of "tor-exit"-server entries, not only germans.

  • 0 in reply to Marc P1

    This is very similar to the problem people have when the UTM asks an internal DNS server to resolve an external FQDN and the internal server sends the same request back through the UTM to an external name server - ATP is triggered.  Following DNS best practice might resolve this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Hi again,

    has anyone here of the people who receive the ATP alerts found an actual way to get rid of these specific ATP alerts? We still receive the alerts multiple times per week. Still from the same subnet. From my understanding there is exactly nothing to do against these dns requests. We have put the subnet into a blackhole NAT as suggested by BAlfson. Still no change and the alerts are getting quite annoying at this point. Like; someone from the subnet just has to ping us and we receive an alert. There has to be a solution for this. Or do you guys all just live with it at this point?

    regards

  • +1 in reply to HNNG

    still receiving these messages as well. But we didn´t do something so far. This week or next, we´ll change the DNS settings as the forwarders are pointing to internal DNS´s at the moment. 
    We assume this will solve the problem.

    Seems like these messages are generate, because a SMTP request is coming from tor, UTM checks it and forwards a dns request to internal, to verify. DNS Servers can not verify itself, so it asks its forwarders (ISP dns´s) and thats the point when the ATP message is raised.

    When the UTM´s forwarders are the ISPs directly, this alert shouldn´t be raisedanymore.

    At least this is what we think/hope/believe and our sophos partner as well. Support is still not helpfull.

  • 0 in reply to HNNG

    ´Hey,

    my way to work around it was to treat these as false positive and put these handful of host onto the threat exception list:

    Advanced Threat Protection > Threat Exceptions:
    185.220.100.254
    185.220.100.243
    185.220.100.244
    185.220.101.35

    I can live with that, especially because I fear that, after a while, I won't look at the alerts anymore discarding them as "again only a dns tor issue again".

    Cheers,
        Marius
  • +1

    Hi all,

    Got the same problem. Sophos was pointing to the internal DNS. Then I changed everything to best practice. Internal DNS --> Sophos --> WAN.

    Still finding the connection in the SMTP proxy log, but no ATP is raised:

    2022:01:23-06:08:00 utm-2 exim-in[18957]: 2022-01-23 06:08:00 TLS error on connection from tor-exit-1.zbau.f3netze.de [185.220.100.252]:10578 SSL_accept: TCP connection closed by peer

  • 0 in reply to Tavior

    We finally did the same last week, since then no ATP messages were raised anymore. Even though the SMTP log still show requests, but these kind of entries are normal anyway...

    For me, this problem is solved

  • 0 in reply to Marc P1

    I did this change two days ago too. I'll wait for two - three more weeks to be sure, but from my understanding removing the internal DNS from the Sophos should indeed get rid of those ATP alerts. 

    Thanks everyone!

Unfiltered HTML