Hello,
I'm getting this alert from the UTM 9 firewall:
Advanced Threat Protection
A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2019-04-10 07:49:07
Traffic blocked: yes
Source IP address or host: 63.76.254.157
Here is the ATP Entry:
2019/04/aptp-2019-04-09.log.gz:2019:04:09-23:39:29 utmho ulogd[1022]: id="2022" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" action="drop" fwrule="63001" initf="eth4" threatname="C2/Generic-A" srcmac="00:10:36:00:59:09" dstmac="00:1a:8c:58:b0:74" srcip="63.76.254.157" dstip="93.174.93.73" proto="6" length="40" tos="0x00" prec="0x00" ttl="60" srcport="5060" dstport="59643" tcpflags="ACK RST"
I'm not sure what to make of it as neither IP address is a private address on the network and it was detected in eth4 which is the ISP.
The other information that is making me look at this more seriously is the dstip 93.174.93.73 has been banging against the firewall for about 30 days with no success.
I'm hoping someone can help me unravel what/why is going on.
This thread was automatically locked due to age.
