Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 298876 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection

YivgenyShipilevsky

Hello,

In last couple of days i start receive emails from my Sophos UTM (Firmware version 9.350-12)

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

Time...........: 2016-03-20 06:41:17

Traffic blocked: yes

Source IP address or host: 218.60.112.225

Every Email include different IP Address but it's not my LAN Network. How i can find problematic machine (IP) from my local network ?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to MarkusMuster

    part of it is configuration of your dns.  in order for ATP to work correctly you need to have all dns requests go to the firewall FIRST.  if you are not using the firewall for dhcp then set primary dns in dhcp as the firewall.

    If you are using AD then you also need to setup dns routing under dns in the webadmin so the firewall will route internal dns requests to your AD server/s.  Then you will get proper alerts for internal machines...:)

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren

    Sadly this wasn't an internal issue, this was a potential attack (unconfirmed if DNS reflect or otherwise) that seemed to come from China.

    This happened regardless whether it was the primary DNS or otherwise in investigations with others and customers.

    You aren't wrong however, best practice is to have DNS requests hit the UTM first and perform request routing :)

    Emile

  • 0 in reply to Emile Belcourt

    I have never seen ATP alert externally unless there was a misconfiguration...interesting.  IPS is usualy the one to alert to an external threat..:)

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren

    ATP actually works both ways but it primarily only operates on In -> Out and generally IPS only works on Out -> In but this is one of the rare occasions where ATP picked up a malicious DNS request on externally blocked packets. It was a very odd thing to have happened!

    It is very weird!

    Emile

  • 0 in reply to Emile Belcourt

    ATP was designed to scan only outbound traffic, like it was officially documented:
    "New in UTM version 9.2 Sophos has introduced Advanced Threat Protection (ATP) which monitors traffic leaving your network to detect compromised computers"

    FYI, this incident was reported as a BUG in the answer from Sophos support.

  • 0 in reply to vilic

    Aha, didn't see that, thanks for the information!

    A bug would make sense, different people say different things and I guess I heard wrong regarding ATP :)

    Cheers,

    Emile

  • 0 in reply to Emile Belcourt

    In one of the previous post I mentioned that I remember that question was included in my Sophos UTM Engineer online exam. They insisted on knowing that fact, so this incident was complete surprise for all of us (and also for them, I guess...;).

Unfiltered HTML