This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP detection

Started receiving the following notification yesterday. I don't understand why this is coming up with the source being the outside IP of the UTM. Is there another log file I should be reviewing to find out if there is an infected host on our network?

Not sure if this helps or not but software version 9.306-6

afcd_784_: id=_2022_ severity=_warn_ sys=_SecureNet_ sub=_packetfilter_ name=_Packet dropped _ATP__ srcip=_OutsideIPofUTM_ dstip=_192.240.167.185_ fwrule=_63001_ proto=_6_ threatname=_Troj/Dluca-BM_ status=_1_ host=_commonname.com_

This thread was automatically locked due to age.

0 Scott_Klassen over 10 years ago

Check the firewall log as well. If this is happening frequently, if it were me, I'd also consider doing a tcpdump for live information.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 10 years ago

I suspect that some Russian, criminal genius has found a way to trick botnet sensors.
Cheers - Bob

Sorry for any short responses. Posted from my iPhone.
Cancel
Vote Up 0 Vote Down

Cancel
0 altro over 10 years ago

Thanks for the replies! I'll check in to the logs later today.
Cancel
Vote Up 0 Vote Down

Cancel
0 ManuelKarl over 10 years ago in reply to altro

Hello there,

are there any d-nat rules which points to the external ip as target (e.g. "internet ipv4"-"https"-"external ip of utm" ---> dnat to "interal ip of server x" ?
Cancel
Vote Up 0 Vote Down

Cancel
0 altro over 10 years ago in reply to ManuelKarl

Hello there,

are there any d-nat rules which points to the external ip as target (e.g. "internet ipv4"-"https"-"external ip of utm" ---> dnat to "interal ip of server x" ?

Yes such as internet ipv4 ->HTTPS ->ExternalMailIP(different from IP in the log I posted)->change destination to Mail server. I have a couple of these rules setup.
Cancel
Vote Up 0 Vote Down

Cancel