This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ACK PSH

Hi Guy's,

since 2 days we see lots of connection drops that source is our Sophos WAN IP and source port is 80 to an IP in China.

In the WAF logs I can see that the same chinese IP harvesting images from one of our websites that hosted behind the Sophos.

the logs show this:

2019:05:28-00:42:17 securitysrv1-2 ulogd[10734]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="00:1a:8c:f0:0f:a1" srcip="62.XX.XX.184" dstip="42.203.129.232" proto="6" length="1480" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="16832" tcpflags="ACK PSH"

2019:05:28-00:17:01 securitysrv1-2 ulogd[10734]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="00:1a:8c:f0:0f:a1" srcip="62.XX.XX.184" dstip="42.203.129.232" proto="6" length="2944" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="14126" tcpflags="ACK"

can I assume that we see this because our IP try to acknowledge the sync on the same port that website accepting connectios from and the destination dropping this requests?

Thanks

This thread was automatically locked due to age.

Parents

0 BAlfson over 5 years ago

It looks like the connection tracker has decided that this connection is no longer active.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 5 years ago

It looks like the connection tracker has decided that this connection is no longer active.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data