Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 9935 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection - C2/Generic-A

Jeff x
How can I tell what is causing the ATP alerts?


I have scanned the server (192.168.0.129) with a few different anti-virus and anti-malware scanners but found nothing. The server is a web, email and FTP server. I have searched all of the email, FTP and website logs but did not find any of the IP's listed in the log below.


Below are the log entries:


/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:16 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:18 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:18 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:20 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:21 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:21 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:22 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:25 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:29 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:30 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:33 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:33 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:39 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:41 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:42 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:43 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:44 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:46 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:46 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:47 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:48 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:50 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:50 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:50 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:52 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:54 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 


This thread was automatically locked due to age.
Parents
  • 0
    I do have the DNS service running on that same server but the only system that points to it for DNS lookup is that same server. Currently, the only reason I'm running a DNS server is because URIBL.com sometimes blocks queries from my SpamAssassin install because of the high volume of queries coming from the same ISP's caching nameservers. The amount of queries that actually come from my server is minuscule but URIBL.com just refuses all traffic coming from the ISP's nameserver.


    I have checked every log on that server and can't find anything that points to the IP address in the ATP alert.
  • 0 in reply to Jeff x
    Running AD in our environment and our Sophos UTM is claiming one of our DCs is phoning home to name servers that Sophos appears not to like.  Running multiple AV cleanup tools on the DC, including Sophos' tool, turned up nothing.  I turned on DNS debug logging on the DC in question to see if I could correlate the alerts to a requester in our network.  Got one ATP alert for the DC at 05:50:26 this morning for destination 199.79.61.221.  Tried to correlate the time stamp back to the DNS debug log and all I see is our OVM Manager server requesting our Nagios server.
Reply
  • 0 in reply to Jeff x
    Running AD in our environment and our Sophos UTM is claiming one of our DCs is phoning home to name servers that Sophos appears not to like.  Running multiple AV cleanup tools on the DC, including Sophos' tool, turned up nothing.  I turned on DNS debug logging on the DC in question to see if I could correlate the alerts to a requester in our network.  Got one ATP alert for the DC at 05:50:26 this morning for destination 199.79.61.221.  Tried to correlate the time stamp back to the DNS debug log and all I see is our OVM Manager server requesting our Nagios server.
Children