Hi,
I just moved my IDS before my Astaro device, so I can get same traffic as Astaro WAN. When I check the snort log, I suddenly found that my Astaro device keep connecting to one IP address, 69.12.23.234, port 80, and this IP address is belong to Astaro, Dallas, Texas.
Here is the example:
Feb 7 08:53:11 aludra snort[3616]: [ID 702911 auth.alert] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING[Priority: 3]: {TCP} 192.168.0.10:34667 -> 69.12.23.234:80
Feb 7 08:53:11 aludra snort[3616]: [ID 702911 auth.alert] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING[Priority: 3]: {TCP} 192.168.0.10:34668 -> 69.12.23.234:80
It's connecting to port 80, which supposed to be a web site, so I try to see what's that web site, but it's totally empty!
My question: why my Astaro device keep connecting to this site? I turn off all my servers/PCs and let it runs lonely all night. This morning I check it again, it's trying to connect it often (but not like a cron job with a fixed period).
Thanks,
Hsinan
This thread was automatically locked due to age.
