Astaro.org (Read-Only)

UTM 9.2 Beta [9.165][BUG] ATP Warning

[9.165][BUG] ATP Warning

MarkMurphy over 11 years ago

How is this possible? this is an outside address that the firewall is reporting as internal and blocked? I use NAT and 192.168.1.0 subnet ID internal

Details about the alert:
Threat name....: C2/Generic-A
Details........: C2/Generic-A - Viruses and Spyware - Threat Analysis - Threat Center - Antivirus, Endpoint, UTM, Mobile, Email, Server, Disk Encryption, and Web Security | Sophos
Time...........: 2013-11-11 03:52:34
Traffic blocked: yes
Internal source IP address or host: 88.81.102.210

Parents

0 Tinkerbell over 11 years ago

Hi,

The threat probably comes from IPS. If you check the snort mappings in /etc/snort/snortc2_mapping.ph there are also threats with C2/Generic-A. In next release 9.170, in case of atp events from snort, the SID will be appended to the threat name in the notification email.

The key word "Internal" is definitely wrong since the threat comes from an external source. Will open a ticket for that.

Thanks,
Bianca
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Tinkerbell over 11 years ago

Hi,

The threat probably comes from IPS. If you check the snort mappings in /etc/snort/snortc2_mapping.ph there are also threats with C2/Generic-A. In next release 9.170, in case of atp events from snort, the SID will be appended to the threat name in the notification email.

The key word "Internal" is definitely wrong since the threat comes from an external source. Will open a ticket for that.

Thanks,
Bianca
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data

Share Feedback

×

Submitted a Tech Support Case lately from the Support Portal?