Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 1852 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange Behaviour of UTM? At least in logs

ChristianS
Hello together,

today i was expirencing a strange behaviour in our network. I was flooded down and I'm not sure what is causing it.

We've basically a network of an SBS 2008 R2 with some computers behind a UTM 110 running the latest firmware. On SBS Sophos Endpoint Security 10.3 is running.

Prologue:
It first started with a botnet warning from UTM after activting Adv. Thread Protection:
SBS - C2/Generic-A - withtls.net - DNS
SBS - C2/Generic-A - [some-long-id].withtls.net - DNS

[some-long-id] was some hex-number with -digits. Basically it was something like this (see Network Details)

This happend 2 times. After activiting DNS-logging on SBS, a third blocked attempt was made to withtls.net and www.withtls.net. Logging showed that the dns-queries have been from SBS only, as the DNS log of SBS showed  no other origin.

First strange thing was that Sophos Endpoint is not dedecting anything, yet UTM is. Last few day's there have been no other warning.

Today:
Today, the internal network got flooded, and my question is whether this is related to a malfunction in the UTM or to a maybe undetected virus/trojan.

Firewall is blocking since a few days almost everything outgoing. Firewall is Whitelist only except for specific ports to known servers. Web Traffic is only allowed by Web Filter and DNS only over UTM (no extra firewall rules created). Ping, ICMP is disallowed from outside.
IPS is on, Adv. Thread. Prot. is on.

First it starts with some DNS queries, that are blocked. (I'm not sure if it's a legal program that want's to skip the DNS-server of the SBS, which redirects to UTM first, or if its the undectable trojan)
After that network was down and the UTM-log shows IP spoofing drop's from UTM.
There had been reports that IP spoofing drops have been caused by UTM in former times. Maybe I've done a misconfiguration by blocking too much. However it may be also a not detecable virus/trojan. Actually, I'm a bit confused.

2014:08:18-16:25:21 utm ulogd[3958]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="SBS-MAC" dstmac="UTM-MAC" srcip="SBS-IP" dstip="96.7.50.64" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="49551" dstport="53" 
2014:08:18-16:25:21 utm ulogd[3958]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="SBS-MAC" dstmac="UTM-MAC" srcip="SBS-IP" dstip="193.108.91.114" proto="17" length="76" tos="0x00" prec="0x00" ttl="127" srcport="50839" dstport="53" 
2014:08:18-16:25:25 utm ulogd[3958]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="SBS-MAC" dstmac="UTM-MAC" srcip="SBS-IP" dstip="95.100.175.64" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="50055" dstport="53" 
2014:08:18-16:25:25 utm ulogd[3958]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="SBS-MAC" dstmac="UTM-MAC" srcip="SBS-IP" dstip="95.100.175.64" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="51648" dstport="53" 
2014:08:18-16:25:25 utm ulogd[3958]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="SBS-MAC" dstmac="UTM-MAC" srcip="SBS-IP" dstip="95.100.175.64" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="49542" dstport="53" 
2014:08:18-16:25:25 utm ulogd[3958]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="SBS-MAC" dstmac="UTM-MAC" srcip="SBS-IP" dstip="193.108.91.38" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="50564" dstport="53" 
2014:08:18-16:25:25 utm ulogd[3958]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="SBS-MAC" dstmac="UTM-MAC" srcip="SBS-IP" dstip="95.100.175.64" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="49453" dstport="53" 
2014:08:18-16:25:25 utm ulogd[3958]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="SBS-MAC" dstmac="UTM-MAC" srcip="SBS-IP" dstip="95.100.175.64" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="50896" dstport="53" 
2014:08:18-16:25:25 utm ulogd[3958]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="SBS-MAC" dstmac="UTM-MAC" srcip="SBS-IP" dstip="95.100.175.64" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="51585" dstport="53" 
2014:08:18-16:25:25 utm ulogd[3958]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="SBS-MAC" dstmac="UTM-MAC" srcip="SBS-IP" dstip="95.100.175.64" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="50661" dstport="53" 
2014:08:18-16:25:25 utm ulogd[3958]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="SBS-MAC" dstmac="UTM-MAC" srcip="SBS-IP" dstip="95.100.175.64" proto="17" length="106" tos="0x00" prec="0x00" ttl="127" srcport="49551" dstport="53" 
2014:08:18-16:25:25 utm ulogd[3958]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="SBS-MAC" dstmac="UTM-MAC" srcip="SBS-IP" dstip="95.100.175.64" proto="17" length="76" tos="0x00" prec="0x00" ttl="127" srcport="50839" dstport="53" 
2014:08:18-16:25:25 utm ulogd[3958]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="SBS-MAC" dstmac="UTM-MAC" srcip="SBS-IP" dstip="23.61.199.64" proto="17" length="76" tos="0x00" prec="0x00" ttl="127" srcport="49983" dstport="53" 
2014:08:18-16:25:38 utm ulogd[3958]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0" srcmac="UTM-MAC" dstmac="UTM-MAC" srcip="UTM-IP" dstip="192.168.1.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="57157" dstport="137" 
2014:08:18-16:25:38 utm ulogd[3958]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0" srcmac="UTM-MAC" dstmac="UTM-MAC" srcip="UTM-IP" dstip="192.168.1.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="57157" dstport="137" 
2014:08:18-16:25:38 utm ulogd[3958]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0" srcmac="UTM-MAC" dstmac="UTM-MAC" srcip="UTM-IP" dstip="192.168.1.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="57157" dstport="137" 
2014:08:18-16:25:38 utm ulogd[3958]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0" srcmac="UTM-MAC" dstmac="UTM-MAC" srcip="UTM-IP" dstip="192.168.1.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="57157" dstport="137" 
2014:08:18-16:25:38 utm ulogd[3958]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0" srcmac="UTM-MAC" dstmac="UTM-MAC" srcip="UTM-IP" dstip="192.168.1.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="57157" dstport="137" 
2014:08:18-16:25:38 utm ulogd[3958]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0" srcmac="UTM-MAC" dstmac="UTM-MAC" srcip="UTM-IP" dstip="192.168.1.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="57157" dstport="137" 
2014:08:18-16:25:38 utm ulogd[3958]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0" srcmac="UTM-MAC" dstmac="UTM-MAC" srcip="UTM-IP" dstip="192.168.1.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="57157" dstport="137" 
2014:08:18-16:25:38 utm ulogd[3958]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0" srcmac="UTM-MAC" dstmac="UTM-MAC" srcip="UTM-IP" dstip="192.168.1.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="57157" dstport="137" 
2014:08:18-16:25:38 utm ulogd[3958]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0" srcmac="UTM-MAC" dstmac="UTM-MAC" srcip="UTM-IP" dstip="192.168.1.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="57157" dstport="137" 
2014:08:18-16:25:38 utm ulogd[3958]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0" srcmac="UTM-MAC" dstmac="UTM-MAC" srcip="UTM-IP" dstip="192.168.1.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="57157" dstport="137" 
2014:08:18-16:25:38 utm ulogd[3958]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0" srcmac="UTM-MAC" dstmac="UTM-MAC" srcip="UTM-IP" dstip="192.168.1.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="57157" dstport="137" 
2014:08:18-16:25:38 utm ulogd[3958]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0" srcmac="UTM-MAC" dstmac="UTM-MAC" srcip="UTM-IP" dstip="192.168.1.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="57157" dstport="137"


Any ideas?
Thanks for your help.

Best regards,
Christian


This thread was automatically locked due to age.
Parents
  • 0
    Hi Christian, 

    www.withtls.com was also detected as a "C2/Generic-A" threat on my home UTM but I don't think that is the source of your problems.

    You can safely ignore MS NetBIOS 137 dst ports log lines, but I see some strange behavior in DNS output blocked by UTM going to akam.net DNS servers (Registrar: TUCOWS DOMAINS INC). I remember Tucows as a software download portal a long time ago...[;)]

    Can you also post that IP spoofing drops log lines?
Reply
  • 0
    Hi Christian, 

    www.withtls.com was also detected as a "C2/Generic-A" threat on my home UTM but I don't think that is the source of your problems.

    You can safely ignore MS NetBIOS 137 dst ports log lines, but I see some strange behavior in DNS output blocked by UTM going to akam.net DNS servers (Registrar: TUCOWS DOMAINS INC). I remember Tucows as a software download portal a long time ago...[;)]

    Can you also post that IP spoofing drops log lines?
Children
No Data