Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 9933 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection - C2/Generic-A

Jeff x
How can I tell what is causing the ATP alerts?


I have scanned the server (192.168.0.129) with a few different anti-virus and anti-malware scanners but found nothing. The server is a web, email and FTP server. I have searched all of the email, FTP and website logs but did not find any of the IP's listed in the log below.


Below are the log entries:


/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:16 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:18 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:18 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:20 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:21 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:21 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:22 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp/2015/08/aptp-2015-08-15.log.gz:2015:08:15-04:20:25 gateway afcd[9367]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:29 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:30 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:33 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:33 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:39 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:41 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:42 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:43 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:44 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:46 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:46 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:47 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:48 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:50 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:50 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:50 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:52 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.159" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 

/var/log/aptp.log:2015:08:22-06:13:54 gateway afcd[24039]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.0.129" dstip="199.188.204.158" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.188.204.182" url="-" action="drop" 


This thread was automatically locked due to age.
Parents
  • 0
    Since I don't see "dstport=53" string in your ATP log, I can only assume that this problem is not related to DNS service but to packet filtering (firewall) layer.
    In that case, your are looking at the wrong place...search UTM Firewall logs instead.

    For DNS servers, ATP log should show something like this:

    2015:09:07-15:10:03 utm-2 ulogd[8391]: id="2022" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" action="drop" fwrule="63001" initf="eth0" threatname="C2/Generic-A" srcmac="00:19:e8:8b:b3:25" dstmac="00:1a:8c:f0:f3:40" srcip="192.168.1.12" dstip="199.59.166.109" proto="17" length="71" tos="0x00" prec="0x00" ttl="127" srcport="60095" dstport="53" 
  • 0 in reply to vilic
    I've checked every log. I cant find anything to correlate with the ATP alerts.
Reply Children
No Data