This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 Detect intrusion

Good morning
I have the following problem my two public IPs go to XBL(Spamhaus) blacklist, the error is as follows:

Technical details of the detection
This was detected by a tcp connection from "my public ip" on port 3795 going to IP address "target ip" (the "sinkhole") on port 80.

In my UTM Firewall how do I see the ip in the network making the request? What log should I check?

I tried checking the packet filter file but can't find a solution.
Thank you

John

This thread was automatically locked due to age.

Parents

0 BAlfson over 3 years ago

Ciao Giovanni - Hi John - and welcome to the UTM Community!

In 'Logging and Reporting >> Network Usage' on the 'Bandwidth Usage' tab, you can make selections to see which machine accessed the "target ip."

any luck with that?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 3 years ago

Ciao Giovanni - Hi John - and welcome to the UTM Community!

In 'Logging and Reporting >> Network Usage' on the 'Bandwidth Usage' tab, you can make selections to see which machine accessed the "target ip."

any luck with that?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Giovanni G over 3 years ago in reply to BAlfson

Thank you
I was able to see by adding in Attack Patterns the option "Add Extra warinings" and in the Intrusion Prevention System log I found the computer running the malware. Now I can't lock the ip with a firewall rule, Surfing Web service, destination Any , Action --> Reject.

Thank you

Giovanni
Cancel
Vote Up 0 Vote Down

Cancel