Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 2 subscribers
  • Views 11613 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A FP

PhilB_01
Hi,

C2/Generic-A triggered when I was trying to talk to a VPS that we have rented off-net (and which we've been renting for the best part of a year at this point, but which I guess I only just tried to talk to from behind a sophos UTM).

How can I get the false positive removed from the database?

Phil


This thread was automatically locked due to age.
  • 0
    In http.log there is nothing at that time from my IP: 

    2015:06:16-05:36:51 astaro1-2 httpproxy[6491]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.1.9" dstip="" user="" ad_domain="" statuscode="404" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2533" request="0xbda11000" url="passthrough.fw-notify.net/.../537.78.2" exceptions=""

    2015:06:16-05:36:52 astaro1-2 httpproxy[6491]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.1.9" dstip="" user="" ad_domain="" statuscode="404" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2533" request="0xdd2d5800" url="passthrough.fw-notify.net/.../537.78.2" exceptions=""

    2015:06:16-05:36:53 astaro1-2 httpproxy[6491]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.1.9" dstip="" user="" ad_domain="" statuscode="404" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2533" request="0xbe16e000" url="passthrough.fw-notify.net/.../537.78.2" exceptions=""


    Don't know why something can't be found, but something unrelated I'd say.

    James.
  • 0
    Nothing in named.log from that time either (but I'm using my own DNS as well): 

    2015:06:16-05:08:11 astaro1-1 named[4805]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/default: loaded serial 1434395285

    2015:06:16-05:14:38 astaro1-2 named[4730]: error (network unreachable) resolving 'tracker.blazing.de/A/IN': 2a02:568:0:2::53#53

    2015:06:16-05:47:10 astaro1-1 named[4805]: error (network unreachable) resolving '3.7.106.116.in-addr.arpa/PTR/IN': 2001:500:13::73#53

    2015:06:16-05:47:11 astaro1-2 named[4730]: error (network unreachable) resolving '3.7.106.116.in-addr.arpa/PTR/IN': 2001:13c7:7002:3000::11#53

    2015:06:16-05:47:11 astaro1-1 named[4805]: error (unexpected RCODE REFUSED) resolving '3.7.106.116.in-addr.arpa/PTR/IN': 203.113.131.1#53
  • 0
    My DNS's named.log: 

    16-Jun-2015 05:36:12.089 zone rpz.spamhaus.org/IN/internal: Transfer started.

    16-Jun-2015 05:36:12.359 transfer of 'rpz.spamhaus.org/IN/internal' from 199.168.90.51#53: connected using 192.168.1.29#52250

    16-Jun-2015 05:36:12.644 zone rpz.spamhaus.org/IN/internal: transferred serial 1434396868

    16-Jun-2015 05:36:12.645 transfer of 'rpz.spamhaus.org/IN/internal' from 199.168.90.51#53: Transfer completed: 1 messages, 468 records, 9249 bytes, 0.285 secs (32452 bytes/sec)

    16-Jun-2015 05:37:49.079 host unreachable resolving 'boinc.fzk.de/A/IN': 2a00:1398:8:1::53:1#53

    16-Jun-2015 05:38:22.179 host unreachable resolving 'justgetflux.com.dlv.isc.org/DLV/IN': 2001:502:ad09::23#53


    Nothing at 5:36:52

    James.
  • 0
    Today's log file shows: 

    2015:06:17-00:25:57 astaro1-2 ulogd[26352]: id="2022" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" action="drop" fwrule="63001" initf="eth0" threatname="C2/Generic-A" srcmac="00:3e:e1:be:16:79" dstmac="00:1a:8c:f0:84:40" srcip="192.168.1.10" dstip="195.154.233.66" proto="17" length="136" tos="0x00" prec="0x00" ttl="64" srcport="51816" dstport="6881" 

    2015:06:17-00:25:57 astaro1-2 ulogd[26352]: id="2022" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" action="drop" fwrule="63001" initf="eth0" threatname="C2/Generic-A" srcmac="00:3e:e1:be:16:79" dstmac="00:1a:8c:f0:84:40" srcip="192.168.1.10" dstip="195.154.233.66" proto="17" length="136" tos="0x00" prec="0x00" ttl="64" srcport="51816" dstport="6881" 

    2015:06:17-03:40:51 astaro1-2 ulogd[26352]: id="2022" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" action="drop" fwrule="63001" initf="eth0" threatname="C2/Generic-A" srcmac="00:3e:e1:be:16:79" dstmac="00:1a:8c:f0:84:40" srcip="192.168.1.10" dstip="195.154.233.66" proto="17" length="136" tos="0x00" prec="0x00" ttl="64" srcport="51816" dstport="6881" 


    Anywhere to look for more info?

    Thanks, James.