Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 32 subscribers
  • Views 24948 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

First ATP Reported

SophosNewby

I noticed yesterday that our firewall had reported this anomaly coming from our mail server. The destination IP is simply an open DNS I added to the DNS setting on the device but this also occurs on the other entries as well, why would it report this?

 



This thread was automatically locked due to age.
Parents
  • 0
    If the source IP is also serving DNS for your clients you will need to enable enable logging of your your DNS queries from your clients to determine which client(s) air making a request for a domain that is malicious. Hope this Helps -Ron
  • 0 in reply to rrosson

    Rrosson,

    Is it malicious?  I can't find anything that describes what this is or why it's being classified as such.

    My Google fu isn't turning up anything other than this thread unfortunately.

    Thanks,

    John

  • 0 in reply to axsom1

    John, You have to be able to determine what domain lookup is be requested by your client(s). Once you know the domain then you can lookup to up using IPVoid, VirusTotal, etc to see the severity of what is malicious. The rule(s) on the XG that fire based on DNS traffic like this are to let you know that something on your network (in this case since it is your DNS Server) is requesting a domain that matches this signature.

    There is just not enough logging detail in the XG (not its fault) when this fires and you have to look at the DNS server itself to determine what client(s) and what domain(s) are causing this rule to trigger.

    Hope this helps. Merry Christmas & Happy New year.

    -Ron

  • 0 in reply to rrosson

    Thanks Ron.   Appreciate the insight.

    The URL in the ATP reports is .

    This is what is coming back clean via some online lookups, so unsure if the clean reports are legit or the ATP reports.  I think it was something bad in the signature, but no proof as of yet.

    Merry Christmas and Happy New Year to you as well.

    Cheers,

    John

Reply
  • 0 in reply to rrosson

    Thanks Ron.   Appreciate the insight.

    The URL in the ATP reports is .

    This is what is coming back clean via some online lookups, so unsure if the clean reports are legit or the ATP reports.  I think it was something bad in the signature, but no proof as of yet.

    Merry Christmas and Happy New Year to you as well.

    Cheers,

    John

Children
No Data