Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 298900 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection

YivgenyShipilevsky

Hello,

In last couple of days i start receive emails from my Sophos UTM (Firmware version 9.350-12)

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

Time...........: 2016-03-20 06:41:17

Traffic blocked: yes

Source IP address or host: 218.60.112.225

Every Email include different IP Address but it's not my LAN Network. How i can find problematic machine (IP) from my local network ?



This thread was automatically locked due to age.
Parents
  • 0

    Hi

    Starting today I have got exactly the same warnings. The shown source ip is also outside of my local network.

  • 0 in reply to MarkusMuster

    part of it is configuration of your dns.  in order for ATP to work correctly you need to have all dns requests go to the firewall FIRST.  if you are not using the firewall for dhcp then set primary dns in dhcp as the firewall.

    If you are using AD then you also need to setup dns routing under dns in the webadmin so the firewall will route internal dns requests to your AD server/s.  Then you will get proper alerts for internal machines...:)

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren

    Sadly this wasn't an internal issue, this was a potential attack (unconfirmed if DNS reflect or otherwise) that seemed to come from China.

    This happened regardless whether it was the primary DNS or otherwise in investigations with others and customers.

    You aren't wrong however, best practice is to have DNS requests hit the UTM first and perform request routing :)

    Emile

Reply
  • 0 in reply to William Warren

    Sadly this wasn't an internal issue, this was a potential attack (unconfirmed if DNS reflect or otherwise) that seemed to come from China.

    This happened regardless whether it was the primary DNS or otherwise in investigations with others and customers.

    You aren't wrong however, best practice is to have DNS requests hit the UTM first and perform request routing :)

    Emile

Children
Unfiltered HTML