This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 Detect intrusion

Good morning
I have the following problem my two public IPs go to XBL(Spamhaus) blacklist, the error is as follows:

Technical details of the detection
This was detected by a tcp connection from "my public ip" on port 3795 going to IP address "target ip" (the "sinkhole") on port 80.

In my UTM Firewall how do I see the ip in the network making the request? What log should I check?

I tried checking the packet filter file but can't find a solution.
Thank you


This thread was automatically locked due to age.
  • Ciao Giovanni - Hi John - and welcome to the UTM Community!

    In 'Logging and Reporting >> Network Usage' on the 'Bandwidth Usage' tab, you can make selections to see which machine accessed the "target ip."

    any luck with that?

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you
    I was able to see by adding in Attack Patterns the option "Add Extra warinings" and in the Intrusion Prevention System log I found the computer running the malware. Now I can't lock the ip with a firewall rule, Surfing Web service, destination Any , Action --> Reject.

    Thank you