Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 9935 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection - C2/Generic-A

Jeff x
How can I tell what is causing the ATP alerts?


I have scanned the server (192.168.0.129) with a few different anti-virus and anti-malware scanners but found nothing. The server is a web, email and FTP server. I have searched all of the email, FTP and website logs but did not find any of the IP's listed in the log below.


Below are the log entries:


/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:16 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:18 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:18 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:20 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:21 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:21 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:22 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:25 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:29 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:30 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:33 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:33 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:39 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:41 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:42 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:43 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:44 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:46 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:46 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:47 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:48 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:50 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:50 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:50 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:52 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:54 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 


This thread was automatically locked due to age.
Parents
  • 0
    My impression is that there are a lot of false positives with that warning.  Check out the ATP section of  'Network Protection', but you should check just in case it's a valid warning.  I bet you see that the problem is that your internal DNS server is querying a suspicious name server.  In that case, check to see which client in your network made the request of your DNS server.

    Cheers - Bob
Reply
  • 0
    My impression is that there are a lot of false positives with that warning.  Check out the ATP section of  'Network Protection', but you should check just in case it's a valid warning.  I bet you see that the problem is that your internal DNS server is querying a suspicious name server.  In that case, check to see which client in your network made the request of your DNS server.

    Cheers - Bob
Children
No Data