Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 10 replies
  • Subscribers 0 subscribers
  • Views 1705 views
  • Users 0 members are here
Options
Suggested

[7.920][QUESTION][ANSWERED] Unusual Packet Filter Log Entries Outbound

scottj_01
All-

While reviewing the packet filter logs I notice some unusual entries. I have China blocked. However it appears that Astaro is attempting to make a connection in China seeking GEO IP information. So the question comes why would a the UTM do this? I am on version 7.920 loaded from the latest ISO. This activity has been going on for several hours. Has any got any ideas? Here are the log entries:

2010:06:07-17:24:26 OASIS ulogd[4501]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60019" outitf="eth0" srcmac="0:24:7e:0:c1:82" srcip="173.49.99.146" dstip="121.12.116.58" proto="17" length="70" tos="0x00" prec="0x00" ttl="64" srcport="36241" dstport="53" info="GEOIP: "
2010:06:07-17:24:26 OASIS ulogd[4501]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60019" outitf="eth0" srcmac="0:24:7e:0:c1:82" srcip="173.49.99.146" dstip="60.210.98.139" proto="17" length="70" tos="0x00" prec="0x00" ttl="64" srcport="57112" dstport="53" info="GEOIP: "
2010:06:07-17:24:26 OASIS ulogd[4501]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60019" outitf="eth0" srcmac="0:24:7e:0:c1:82" srcip="173.49.99.146" dstip="121.14.220.190" proto="17" length="70" tos="0x00" prec="0x00" ttl="64" srcport="2905" dstport="53" info="GEOIP: "
2010:06:07-17:24:26 OASIS ulogd[4501]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60019" outitf="eth0" srcmac="0:24:7e:0:c1:82" srcip="173.49.99.146" dstip="119.147.245.50" proto="17" length="70" tos="0x00" prec="0x00" ttl="64" srcport="16833" dstport="53" info="GEOIP: "
2010:06:07-17:24:26 OASIS ulogd[4501]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60019" outitf="eth0" srcmac="0:24:7e:0:c1:82" srcip="173.49.99.146" dstip="222.173.227.78" proto="17" length="70" tos="0x00" prec="0x00" ttl="64" srcport="17258" dstport="53" info="GEOIP: "
2010:06:07-17:24:26 OASIS ulogd[4501]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60019" outitf="eth0" srcmac="0:24:7e:0:c1:82" srcip="173.49.99.146" dstip="222.173.227.82" proto="17" length="70" tos="0x00" prec="0x00" ttl="64" srcport="12408" dstport="53" info="GEOIP: "

Thanks,
Jim
Parents
  • 0
    Billybob,

    Thanks. While the activity may seem harmless I am concerned it would perform this functionality to begin with. This just started today around 12:30pm eastern time and has occured every 15 minutes. I am not using any mail services, and none of the devices on the internal network are sending any outbound information to China. So it comes down Astaro doing so. So needless to say I am suspicious of this activity. Thanks for responding back to me!

    Regards,
    Jim
  • 0 in reply to scottj_01
    ... and none of the devices on the internal network are sending any outbound information to China. So it comes down Astaro doing so. 


    before assuming that this kind of traffic isn't originating from your network, you should verify this, maybe by running a tcpdump on the LAN interface.
Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?