We get this in our ATP log:
2015:06:30-07:45:47 Astaro-1 afcd[17122]: id="2023" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet logged (ATP)" srcip="192.168.50.8" dstip="8.8.8.8" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="mail.noip.com" url="-" action="alert"
192.168.50.8 is our Internal DNS server. Based on what I can tell someone is queried the local DNS server for "mail.noip.com" and it then went out to 8.8.8.8 (Google Public DNS) because we had that server listed as a forwarder for it.
We have one user who actually legitimately uses noip.com for their mail so this makes sense even though apparently noip.com hosts are often used for malicious purposes and as such that is why they are on the ATP bad list. (Thats another story)
So as I understand this I have to put in a exception for that persons workstation AND for mail.noip.com traffic as well in order to prevent this from coming back on our ATP logs. I kind of hate to do that as I would like to know if some other workstations attempt to contact a noip.com host.
This thread was automatically locked due to age.
