Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 9933 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection - C2/Generic-A

Jeff x
How can I tell what is causing the ATP alerts?


I have scanned the server (192.168.0.129) with a few different anti-virus and anti-malware scanners but found nothing. The server is a web, email and FTP server. I have searched all of the email, FTP and website logs but did not find any of the IP's listed in the log below.


Below are the log entries:


/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:16 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:18 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:18 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:20 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:21 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:21 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:22 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:25 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:29 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:30 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:33 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:33 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:39 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:41 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:42 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:43 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:44 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:46 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:46 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:47 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:48 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:50 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:50 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:50 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:52 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:54 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 


This thread was automatically locked due to age.
  • 0
    My impression is that there are a lot of false positives with that warning.  Check out the ATP section of  'Network Protection', but you should check just in case it's a valid warning.  I bet you see that the problem is that your internal DNS server is querying a suspicious name server.  In that case, check to see which client in your network made the request of your DNS server.

    Cheers - Bob
  • 0
    I do have the DNS service running on that same server but the only system that points to it for DNS lookup is that same server. Currently, the only reason I'm running a DNS server is because URIBL.com sometimes blocks queries from my SpamAssassin install because of the high volume of queries coming from the same ISP's caching nameservers. The amount of queries that actually come from my server is minuscule but URIBL.com just refuses all traffic coming from the ISP's nameserver.


    I have checked every log on that server and can't find anything that points to the IP address in the ATP alert.
  • 0 in reply to Jeff x
    Running AD in our environment and our Sophos UTM is claiming one of our DCs is phoning home to name servers that Sophos appears not to like.  Running multiple AV cleanup tools on the DC, including Sophos' tool, turned up nothing.  I turned on DNS debug logging on the DC in question to see if I could correlate the alerts to a requester in our network.  Got one ATP alert for the DC at 05:50:26 this morning for destination 199.79.61.221.  Tried to correlate the time stamp back to the DNS debug log and all I see is our OVM Manager server requesting our Nagios server.
  • 0 in reply to MikeMcKinley
    Cheechcat, same here.


    Nothing in my DNS debug log, either. Been debugging since my original post and no matches.


    I was thinking it may be a lookup by the email server but nothing in those logs, either.
  • 0
    Since I don't see "dstport=53" string in your ATP log, I can only assume that this problem is not related to DNS service but to packet filtering (firewall) layer.
    In that case, your are looking at the wrong place...search UTM Firewall logs instead.

    For DNS servers, ATP log should show something like this:

    2015:09:07-15:10:03 utm-2 ulogd[8391]: id="2022" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" action="drop" fwrule="63001" initf="eth0" threatname="C2/Generic-A" srcmac="00:19:e8:8b:b3:25" dstmac="00:1a:8c:f0:f3:40" srcip="192.168.1.12" dstip="199.59.166.109" proto="17" length="71" tos="0x00" prec="0x00" ttl="127" srcport="60095" dstport="53" 
  • 0 in reply to vilic
    I've checked every log. I cant find anything to correlate with the ATP alerts.