This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP False alerts about C&C pointed to internal DNS

Hello,

my UTM ATP shows me alerts about host trying connect to C&C. The problem is that ATP shows that it is my internal DNS server (which is for 100% clear - fresh installation) , so i am not able to recognize which host in fact is asking my DNS server about that malicious site. In Barracuda they have software installed directly on internal dns and communicate with Firewall, so there is full info about what IP is in fact asking about it. Maybe You shoud try to make similar soft to sophos.

This thread was automatically locked due to age.

Parents

BAlfson over 8 years ago

Hi, Krzysztof, and welcome to the UTM Community!

Since you didn't show us the alert message, I'll guess that some PC in your organization requested name resolution from your server and that your server then requested name resolution through the UTM. The UTM can't see that the original request came from another device in your organization.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
krzysztof turkiewicz over 8 years ago in reply to BAlfson

Yes, you are right, this is the situation - one of my host ask my internal dns about suspicious address and than dns is asking through my UTM. ( that is why UTM has no idea about client). This is very common situation in every company. My post was only suggestion for you to consider to write special software installed on DNS (windows AD). This software communicate with UTM and give it all info about clients dns queries. Its simple program but can change a lot because UTM would then inform me who is REALLY asking dns about suspicoius website.
Cancel
Vote Up 0 Vote Down

Cancel
Alexander Busch over 8 years ago in reply to krzysztof turkiewicz

Dear Krzysztof,

nice feature request (try to post it here http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests ). As a kind of 'workaround' use the UTM as first DNS for your internal clients. Then you'll get the correct IP in first attempt without looking at the internal AD-DNS. This works very well.

Best regards,

Alex

-
Cancel
Vote Up 0 Vote Down

Cancel
krzysztof turkiewicz over 8 years ago in reply to Alexander Busch

Hello, unfortunatelly i cannot change DNS to UTM because i run Windows Active Directory in my company and it demands to be DNS for all connected client workstation.
Cancel
Vote Up 0 Vote Down

Cancel
Alexander Busch over 8 years ago in reply to krzysztof turkiewicz

In the company I work for we use Windows AD too. But this works very well. So maybe I miss the point why this should not work for you too?

-
Cancel
Vote Up 0 Vote Down

Cancel
BAlfson over 8 years ago in reply to Alexander Busch

Your way works, too, Alexander, but I was convinced years ago to leave that approach behind in favor of DNS best practice.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
BAlfson over 8 years ago in reply to krzysztof turkiewicz

As Alexander says, Krzysztof, the right place to make a suggestion to Sophos is Ideas.

Like me, almost everyone here does not work for Sophos.

My other clients in the same situation go directly to the log in their Windows server to see which device caused the alert.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

BAlfson over 8 years ago in reply to krzysztof turkiewicz

As Alexander says, Krzysztof, the right place to make a suggestion to Sophos is Ideas.

Like me, almost everyone here does not work for Sophos.

My other clients in the same situation go directly to the log in their Windows server to see which device caused the alert.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data