Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 1567 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

application filter events

Jakub Kavka

Hey,

since we installed Sophos XG we are getting a loads of app filter events regarding GaduGadu Messenger application. Strange is that this traffic is comming from almost all users and its like 100-1000 events per few minutes. Ofcourse nobody is actually using such an application.

anyone came across this? is it just false positive alarm or should we investigate further? Thanks

anonymized event:

  • messageid="17051"
  • log_type="Content Filtering"
  • log_component="Application"
  • log_subtype="Denied"
  • fw_rule_id="40"
  • fw_rule_name="LAN to WAN"
  • fw_rule_section="Local rule"
  • user="xxxxxx@xxx.xx"
  • user_group="Open Group"
  • appfilter_policy_id="8"
  • category="Instant Messenger"
  • app_name="GaduGadu Messenger"
  • app_risk="4"
  • app_technology="Client Server"
  • app_category="Instant Messenger"
  • src_ip="xxx.xxx.xxx.xxx"
  • src_country="R1"
  • dst_ip="141.95.47.55"
  • dst_country="FRA"
  • protocol="TCP"
  • src_port="49598"
  • dst_port="443"
  • bytes_sent="0"
  • bytes_received="0"
  • status=""
  • message=""
  • appresolvedby="Signature"


This thread was automatically locked due to age.
Parents
  • 0

    Hello ,

    Thank you for reaching out to the community, GaduGadu is an instant Messenger application which falls under the instant messenger category and it's risk level is 4:
    KBA - Sophos Firewall: How to prioritize the traffic via SD-WAN for the applications

    So, unde the rule no 40, if you have applied the following application filter applied:

    And you have the logged firewall rule option ticked and under the system services > log settings > content filtering > application filter options enabled:

    then you'll see the events generated under the log viewer and the action is denied. So this is genuine and fine if you want the application to be blocked in your organization !! 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0

    Hello ,

    Thank you for reaching out to the community, GaduGadu is an instant Messenger application which falls under the instant messenger category and it's risk level is 4:
    KBA - Sophos Firewall: How to prioritize the traffic via SD-WAN for the applications

    So, unde the rule no 40, if you have applied the following application filter applied:

    And you have the logged firewall rule option ticked and under the system services > log settings > content filtering > application filter options enabled:

    then you'll see the events generated under the log viewer and the action is denied. So this is genuine and fine if you want the application to be blocked in your organization !! 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Children
Unfiltered HTML