Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 3978 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need help with proxy logs to determine source of connection attempt

AndrewGunnesch

2 days ago the http.log file on my UTM started getting filled with millions of entries like these, causing my disk to fill and using up the connection sockets:

2017:03:03-12:54:50 portal httpproxy[9026]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.16.0.4" dstip="10.169.32.224" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaDataVlan2 (SCVC Corporate Web Filter)" filteraction="REF_HttCffWebFilteActio (Web Filter Action - Unrestricted)" size="159" request="0xe1fcaa00" url="https://10.169.32.224/" referer="" error="" authtime="1" dnstime="1" cattime="171" avscantime="0" fullreqtime="948" device="3" auth="2" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized"
2017:03:03-12:54:50 portal httpproxy[9026]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.16.0.4" dstip="10.66.211.13" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaDataVlan2 (SCVC Corporate Web Filter)" filteraction="REF_HttCffWebFilteActio (Web Filter Action - Unrestricted)" size="57" request="0xe17ba400" url="https://10.66.211.13/" referer="" error="" authtime="1" dnstime="1" cattime="180" avscantime="0" fullreqtime="1122" device="3" auth="2" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized"
2017:03:03-12:54:50 portal httpproxy[9026]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.16.0.4" dstip="10.66.211.13" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaDataVlan2 (SCVC Corporate Web Filter)" filteraction="REF_HttCffWebFilteActio (Web Filter Action - Unrestricted)" size="57" request="0xe1fc9200" url="https://10.66.211.13/" referer="" error="" authtime="1" dnstime="1" cattime="183" avscantime="0" fullreqtime="966" device="3" auth="2" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized"
2017:03:03-12:54:50 portal httpproxy[9026]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.16.0.4" dstip="10.169.32.224" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaDataVlan2 (SCVC Corporate Web Filter)" filteraction="REF_HttCffWebFilteActio (Web Filter Action - Unrestricted)" size="159" request="0xddc69e00" url="https://10.169.32.224/" referer="" error="" authtime="1" dnstime="1" cattime="142" avscantime="0" fullreqtime="981" device="3" auth="2" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized"

172.16.0.4 is my UTM IP.  The 2 IPs attempting to be accessed are not active on my network and we don't have routes to them, either.  I'm at a loss trying to determine what host is using the proxy to try and hit these 2 hosts continuously.

 

Any suggestions on how to find the source of a proxy connection would be greatly appreciated!



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Andrew, and welcome to the UTM Community!

    It appears that you have the Proxy in Transparent mode.  If so, put a Network definition for 10.0.0.0/8 into the Destination Skiplist on the 'Misc' tab in 'Filtering Options'.  Because of #2 in Rulz, you will want to deselect 'Allow HTTP/S traffic for listed hosts/nets' and make an explicit rule for HTTP/S traffic you want to allow.

    Still, there should be no traffic initiated by a UTM Internal interface.  Please insert a screencap of the Proxy Profile ProContaDataVlan2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hi, Andrew, and welcome to the UTM Community!

    It appears that you have the Proxy in Transparent mode.  If so, put a Network definition for 10.0.0.0/8 into the Destination Skiplist on the 'Misc' tab in 'Filtering Options'.  Because of #2 in Rulz, you will want to deselect 'Allow HTTP/S traffic for listed hosts/nets' and make an explicit rule for HTTP/S traffic you want to allow.

    Still, there should be no traffic initiated by a UTM Internal interface.  Please insert a screencap of the Proxy Profile ProContaDataVlan2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • +2 in reply to BAlfson

    Thanks for the response; we opened a ticket with Sophos support and were informed that there was a known error in the UTM 9.410 code that we were running, and advised an upgrade to 9.411 should resolve the issue, which appears to have done.  Very strange issue...

     

    Thanks for the welcome!

     

    --andrew

Unfiltered HTML