This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP Alert mail without log - is logged in IPS instead

In the last 2 days we received several ATP Mail alerts from the UTM.

The hostname / IP shown in the mail is not listed in the ATP Log but i can see the IP of the host on the ATP Dashboard (Advanced Protection Statistics) in webadmin.

There is no exception for that host.

How is this possible?

Advanced Threat Protection

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

 Details about the alert:

Threat name....: C2/Torpig-A (SID: 16693)

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Torpig-A.aspx

Time...........: 2021-03-02 15:01:46

Traffic blocked: yes

 Source IP address or host: internal.fqdn.name

       --

HA Status          : HA MASTER (node id: 2)

System Uptime      : 52 days 4 hours 15 minutes

System Load        : 0.71

System Version     : Sophos UTM 9.705-3



This thread was automatically locked due to age.
  • OK, i found a relating IPS log line but why not in ATP log?

    2021:03:02-15:01:46 fw-320-2 snort[19034]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC Torpig bot sinkhole server DNS lookup" group="241" srcip="internal-IP-of-host" dstip="8.8.8.8" proto="17" srcport="63891" dstport="53" sid="16693" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"

    Btw.: those events are expected. We have no crap in our network.

  • Not sure what your question is...

    If these alerts just started, I would run a malware scan on that internal host just to be sure.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Q: ATP Alert Mail: Log in IPS log but why not in ATP log?

    No Malwarecheck needed: Btw.: those events are expected. We have no crap in our network.