Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 10 replies
  • Subscribers 0 subscribers
  • Views 1703 views
  • Users 0 members are here
Options
Suggested

[7.920][QUESTION][ANSWERED] Unusual Packet Filter Log Entries Outbound

scottj_01
All-

While reviewing the packet filter logs I notice some unusual entries. I have China blocked. However it appears that Astaro is attempting to make a connection in China seeking GEO IP information. So the question comes why would a the UTM do this? I am on version 7.920 loaded from the latest ISO. This activity has been going on for several hours. Has any got any ideas? Here are the log entries:

2010:06:07-17:24:26 OASIS ulogd[4501]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60019" outitf="eth0" srcmac="0:24:7e:0:c1:82" srcip="173.49.99.146" dstip="121.12.116.58" proto="17" length="70" tos="0x00" prec="0x00" ttl="64" srcport="36241" dstport="53" info="GEOIP: "
2010:06:07-17:24:26 OASIS ulogd[4501]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60019" outitf="eth0" srcmac="0:24:7e:0:c1:82" srcip="173.49.99.146" dstip="60.210.98.139" proto="17" length="70" tos="0x00" prec="0x00" ttl="64" srcport="57112" dstport="53" info="GEOIP: "
2010:06:07-17:24:26 OASIS ulogd[4501]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60019" outitf="eth0" srcmac="0:24:7e:0:c1:82" srcip="173.49.99.146" dstip="121.14.220.190" proto="17" length="70" tos="0x00" prec="0x00" ttl="64" srcport="2905" dstport="53" info="GEOIP: "
2010:06:07-17:24:26 OASIS ulogd[4501]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60019" outitf="eth0" srcmac="0:24:7e:0:c1:82" srcip="173.49.99.146" dstip="119.147.245.50" proto="17" length="70" tos="0x00" prec="0x00" ttl="64" srcport="16833" dstport="53" info="GEOIP: "
2010:06:07-17:24:26 OASIS ulogd[4501]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60019" outitf="eth0" srcmac="0:24:7e:0:c1:82" srcip="173.49.99.146" dstip="222.173.227.78" proto="17" length="70" tos="0x00" prec="0x00" ttl="64" srcport="17258" dstport="53" info="GEOIP: "
2010:06:07-17:24:26 OASIS ulogd[4501]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="60019" outitf="eth0" srcmac="0:24:7e:0:c1:82" srcip="173.49.99.146" dstip="222.173.227.82" proto="17" length="70" tos="0x00" prec="0x00" ttl="64" srcport="12408" dstport="53" info="GEOIP: "

Thanks,
Jim
Parents
  • 0
    Hi Kbr,

    No, not on the ASG. From the ASG I guess I coud have used the traffic monitor. However that is the MAC of the WAN interface (eth0). You can configure wireshark for promiscuous mode which is what I did. So not seeing the traffic on the lan was surprising. I re-enabled the country blocking when I arrived home from work to day. So lets see what happens. Either way something is very strange.

    Regards,
    Jim
Reply
  • 0
    Hi Kbr,

    No, not on the ASG. From the ASG I guess I coud have used the traffic monitor. However that is the MAC of the WAN interface (eth0). You can configure wireshark for promiscuous mode which is what I did. So not seeing the traffic on the lan was surprising. I re-enabled the country blocking when I arrived home from work to day. So lets see what happens. Either way something is very strange.

    Regards,
    Jim
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?