Network Protection: Firewall, NAT, QoS, & IPS Advanced Threat Protection: Google DNS (8.8.8.8) false Positive

UTM Firewall requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 39 replies
Subscribers 2 subscribers
Views 477748 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection: Google DNS (8.8.8.8) false Positive

solae over 10 years ago

Some one else see this in the ATM Log?

10.19.1.3 is a Monitoring Server pinging 8.8.8.8 for Internet Referenc.

This thread was automatically locked due to age.

Parents

0 yabasoya over 10 years ago

All afternoon my Advanced Threat Protection has been emailing me:

Advanced Threat Protection

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2015-04-30 17:02:10
Traffic blocked: yes

Source IP address or host: 10.10.160.229

--
System Uptime      : 17 days 9 hours 38 minutes
System Load        : 0.29
System Version     : Sophos UTM 9.310-11

Please refer to the manual for detailed instructions.

I look in my logs to find hundreds of entries:

2015:04:30-16:00:42 ulogd[13308]: id="2022" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" action="drop" fwrule="63001" initf="eth0.173" threatname="C2/Generic-A" srcmac="00:0d:c5:XX:XX:XX" dstmac="00:15:17:XX:XX:XX" srcip="10.10.160.229" dstip="8.8.8.8" proto="17" length="65" tos="0x00" prec="0x00" ttl="64" srcport="39325" dstport="53"

Live log shows:
17:18:09 IPTables UDP C2/Generic-A
10.10.160.229 : 56216
→
8.8.8.8 : 53
drop

I count at least 8 devices, different subnets, even different vlans setting off this alert.  I don't recall anything that I have changed recently.

Any ideas?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 yabasoya over 10 years ago

All afternoon my Advanced Threat Protection has been emailing me:

Advanced Threat Protection

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2015-04-30 17:02:10
Traffic blocked: yes

Source IP address or host: 10.10.160.229

--
System Uptime      : 17 days 9 hours 38 minutes
System Load        : 0.29
System Version     : Sophos UTM 9.310-11

Please refer to the manual for detailed instructions.

I look in my logs to find hundreds of entries:

2015:04:30-16:00:42 ulogd[13308]: id="2022" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" action="drop" fwrule="63001" initf="eth0.173" threatname="C2/Generic-A" srcmac="00:0d:c5:XX:XX:XX" dstmac="00:15:17:XX:XX:XX" srcip="10.10.160.229" dstip="8.8.8.8" proto="17" length="65" tos="0x00" prec="0x00" ttl="64" srcport="39325" dstport="53"

Live log shows:
17:18:09 IPTables UDP C2/Generic-A
10.10.160.229 : 56216
→
8.8.8.8 : 53
drop

I count at least 8 devices, different subnets, even different vlans setting off this alert.  I don't recall anything that I have changed recently.

Any ideas?
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data