Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 417 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

InvalidUrl - how to interpret report?

MakaanPL

Hello,

In Sophos XG reports, there is a Web Category named "InvalidUrl" which cannot be used in web filtering policy. There's a big number of requests and bytes transferred.

One of the "URLs" is highlighted, it's just a very long string, the second one looks very similar. Port 17472 may be related to Tanium software, and by capturing packets I know there's indeed a communication to this port to my employer's IP. But this "URL" is a mystery, packet capture of DNS didn't catch it so far.

What has actually happened? How to interpret it?



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Website which don’t have valid URL format will categories in Invalid URL.

    Could you please try to do DNS lookup manually to one of these URLs? Export this report in csv to get the correct domain.

    Do you see any log event in awarrenhttp_access.log with this URL?

    It would be great if you can share csv here as well.

  • 0 in reply to FormerMember

    There isn't any additnional information in CSV export. The "domain" is exactly like on the screenshot, and of course is invalid. Nothing related to this "domain" string found in awarrenhttp_access.log (proxy is not enabled, by the way) as well as firewall log files.

    As I mentioned, all logged traffic with destination port 17472 TCP is towards my employer's public IP, sometimes an intranet IP as well (unreachable, caught probably right after disconnecting VPN). The reverse lookup of IP suggests it's Tanium software.


    "1.dbfd129333e2c012ee0aed2d4a44e6cab85baada9c9ed72c29f347517783d7622b154d852bb7f9b111bedf72a95d4ecc8e86e424fa17703fc5181d7a998d1.78416c3cea3378c730f53d3d1ef0082500b11bb060b640b3ba8694844b86f023405a5df96f2c83ea3dd461f25674b0c9257a92c77c3df84b4ac19243554c8"

Reply
  • 0 in reply to FormerMember

    There isn't any additnional information in CSV export. The "domain" is exactly like on the screenshot, and of course is invalid. Nothing related to this "domain" string found in awarrenhttp_access.log (proxy is not enabled, by the way) as well as firewall log files.

    As I mentioned, all logged traffic with destination port 17472 TCP is towards my employer's public IP, sometimes an intranet IP as well (unreachable, caught probably right after disconnecting VPN). The reverse lookup of IP suggests it's Tanium software.


    "1.dbfd129333e2c012ee0aed2d4a44e6cab85baada9c9ed72c29f347517783d7622b154d852bb7f9b111bedf72a95d4ecc8e86e424fa17703fc5181d7a998d1.78416c3cea3378c730f53d3d1ef0082500b11bb060b640b3ba8694844b86f023405a5df96f2c83ea3dd461f25674b0c9257a92c77c3df84b4ac19243554c8"

Children
No Data