Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 2 subscribers
  • Views 2278 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Understanding Advanced Thread Detection

SalishSwede
I'm having trouble understanding the logs for the advanced threat detection system.  Can someone help?

Here are some examples from my logs:


2015:09:17-10:34:14 ravenna named[4568]: rpz: client 10.1.4.0#10063 (subscription.al.com): view default: rpz QNAME NXDOMAIN rewrite adi.wc-host.com via adi.wc-host.com.rpz

2015:08:26-07:00:04 ravenna named[4523]: rpz: client 10.1.1.6#63982 (heattreatmentchina.ru): view default: rpz IP NXDOMAIN rewrite heattreatmentchina.ru via 32.37.26.70.109.rpz-ip.rpz 

2015:08:26-07:00:04 ravenna named[4523]: rpz: client 10.1.1.6#63982 (expirepages-kiae-2.nic.ru): view default: rpz IP NXDOMAIN rewrite expirepages-kiae-2.nic.ru via 32.76.61.85.194.rpz-ip.rpz 

2015:08:26-07:00:04 ravenna named[4523]: rpz: client 10.1.1.6#63982 (expirepages-kiae-1.nic.ru): view default: rpz IP NXDOMAIN rewrite expirepages-kiae-1.nic.ru via 32.37.26.70.109.rpz-ip.rpz
10.1.4.0 is a Samsung Galaxy S5 (Android)
10.1.1.6 is a linux mail server.

I have all traffic to Russia blocked which may help the latter 3, but the first is curious.
Info on the source ip
Address lookup

               canonical name         adi.wc-host.com.              aliases         subscription.al.com
                  addresses          66.194.102.170
                                 Network Whois record

 Queried rwhois.twtelecom.net with "66.194.102.170"...
 %rwhois V-1.5:003AB6:00 rwhois.twtelecom.net (rwhois_ngd v0.9.0 by James Sella) network:Class-Name:network 
network:ID:09bf12b0-6fb7-11e2-9aba-005056b11241 network:Auth-Area:66.194.0.0/16
 network:Network-Name:Mansell-Group-66-194-102-128 
network:IP-Network:66.194.102.128/25 
network[:$]rganization;I:c1e26f7a-381e-11e2-aa1c-005056b11241 
network[:$]rg-Name:Mansell Group network:Street-Address:2775 NORTHWOODS PKWY network:City:NORCROSS 
network:State:GA network[[:P]]ostal-Code:30071 
network:Country-Code:us 
network[[:P]]hone:none network:Admin-Contact;I:none 
network:Tech-Contact;I:none 
network:Abuse-Contact;I:abuse@twtelecom.net 
network:Updated:20131214121201000  %ok  Queried whois.arin.net with "n 66.194.102.170"...
  
NetRange:       66.192.0.0 - 66.195.255.255 
CIDR:           66.192.0.0/14 
NetName:        TWTC-NETBLK-4 
NetHandle:      NET-66-192-0-0-1 
Parent:         NET66 (NET-66-0-0-0-0) 
NetType:        Direct Allocation OriginAS:        
Organization:   tw telecom holdings, inc. (TWTC) 
RegDate:        2001-10-25 
Updated:        2012-02-24 
Comment:        ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE 
Ref:            http://whois.arin.net/rest/net/NET-66-192-0-0-1   
OrgName:        tw telecom holdings, inc. 
OrgId:          TWTC 
Address:        10475 Park Meadows Drive 
City:           Littleton 
StateProv:      CO 
PostalCode:     80124 
Country:        US 
RegDate:        1999-03-17
 Updated:        2008-10-04 Ref:            http://whois.arin.net/rest/org/TWTC


This thread was automatically locked due to age.