This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Detecting and blocking crypto mining related traffic

Is there an effective way to detect and/or block crypto mining related traffic going in/out through a UTM gateway?

We are already using some Application Control rules for some project networks to block file transfer related traffic.

There is no obvious Category or Application entry related to crypto mining related traffic so I wonder if these lists (categories/application) can be extended with some custom entries or if there would be an other way to check if an endpoint is potentially mining.

According to an article:

https://www.cloudsavvyit.com/15087/how-to-detect-and-defeat-cryptominers-in-your-network

filtering requests to:

*xmr.*
*pool.com
*pool.org
pool.*

should reveal the majority of connections related to cryptominers.

What would be the most efficient setup to log such requests and block them later in a second step?

This thread was automatically locked due to age.

0 BAlfson over 2 years ago

Hallo Chris,

The only place domains are visible in UTM logs is in the Web Filtering logs. For example, here's what I would do at the command line to look for *.xmr.* ad *pool.com in 2021:

zgrep '[.*xmr\..*|.*pool\.com]' /var/log/http/2021/*/*|more

You will also want to be sure you haven't excepted internal devices from IPS scanning.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel