[9.352-6]ATP alert from external address of something??

Fixed in 9.356.

Thanks

Fixed in 9.356.

Thanks

Sachin,

How do you know that, without gathering further information??? 

My answer in the other thread:

Hi,

I get the same message (in v9.407 !! ) since yesterday, 25.10. But in my opinion it is not related to this bug ID (Fix [NUTM-3340]: [Network] ATP alerts can be caused by external UDP DNS traffic (can lead to massive amounts of ATP alerts)), but it is more likely a different bug.

I see, that this IP Address tries to connect to various servers in my dmz. Maybe a harvest scan or sth. similar. But it is only trying port 80. The src ip address is listed in some abuse lists.. So my analysis would be, a malicious ip address communicates with a machine behind the firewall. The afc should normally alert in this case, because the traffic originiates from an external network.... Why we get an alert? Only Sophos knows about it....

Regards

Sebastian

UPDATE: 

Sorry, I must correct my statement. I get a different Threat Name, it is: Threat name....: C2/Generic-A.

But the general question (how do you know) is still there...

And how can it be, that it is fixed in 9.356 and again in 9.401? So I assume it was not fixed in 9.356?

Up2Date 9.356003 package description:

Remark:
System will be rebooted

News:
Security Update

Bugfixes:
Fix [NUTM-3974]: [Basesystem] OpenSSL security update 1.0.1t [9.35]
Fix [NUTM-3320]: [Network] Security Patches for BIND (9.35)
Fix [NUTM-3340]: [Network] ATP alerts can be caused by external UDP DNS traffic (can lead to massive amounts of ATP alerts)
Fix [NUTM-3555]: [Virtualization] HyperV interface handling (9.35)

Up2Date 9.401011 package description:

Remarks:
System will be rebooted
Configuration will be upgraded
Connected REDs will perform firmware upgrade
Connected Wifi APs will perform firmware upgrade

News:
Update to 9.4
.
Features
Clientless SSO (STAS)
IPv6 Support for SSL VPN
Sandboxing for SMTP and Web
Support for new RED15w
Support for new SG Appliances SG85 and SG85w
Support for new 4x10G FP 1U network module
WAF persistent session cookies

Bugfixes:
Fix [NUTM-1764]: [Access & Identity] 35675: First time connection always fails with ssl remote access vpn and remote auth
Fix [NUTM-1768]: [Access & Identity] 35689: RED50: Loadbalancing does not work
Fix [NUTM-1771]: [Access & Identity] 35809: Group membership is not updated when prefetching backend users
Fix [NUTM-1772]: [Access & Identity] 35859: Some users are removed from all groups during update_ad_bg_members
Fix [NUTM-1927]: [Access & Identity] 35957: ERROR: netlink response for Increase seq numbers HA SYSTEM included errno 3: No such process
Fix [NUTM-1928]: [Access & Identity] 35446: Problems with OpenVPN v2.3.0 and Win8 when client awake from sleep or hibernation mode
Fix [NUTM-1941]: [Access & Identity] 35474: AD group cache still contains obsolete group information after update_ad_bg_members.plx is executed
Fix [NUTM-1942]: [Access & Identity] 35279: Option "Drop packets from blocked hosts" does not work correctly
Fix [NUTM-1943]: [Access & Identity] 35269: Random auth-pop ups in with eDir SSO
Fix [NUTM-1944]: [Access & Identity] 35459: Site2Site SSLVPN client fails to add routes after server restart
Fix [NUTM-1945]: [Access & Identity] 35778: Sometimes SAA connection disconnect for 3 minutes
Fix [NUTM-1947]: [Access & Identity] 35926: VPN Signing CA using encryption of 1024bit
Fix [NUTM-1949]: [Access & Identity] 35353: Intermittend authentication failed messages during unstable SAA connection
Fix [NUTM-1950]: [Access & Identity] 35606: French keyboard layout not detected in HTML5 portal RDP connections
Fix [NUTM-1951]: [Access & Identity] 35602: Outdated perl-ldap -0.39 causing errors in Intermediate.pm
Fix [NUTM-1953]: [Access & Identity] 35143: LT2P remote access - client get assigned an IP from the pool which is already in use
Fix [NUTM-1961]: [Access & Identity] 35791: QoS not working with more than 600 applications in a traffic selector definition
Fix [NUTM-1964]: [Access & Identity] 33657: Bridge: Error messages when you enable / disable an additional address on a bridge
Fix [NUTM-1965]: [Access & Identity] 34496: Bridge + QoS: Bandwidth pools does not work
Fix [NUTM-2080]: [Access & Identity] 36079: RED Management can't be enabled if the organisation name includes umlauts
Fix [NUTM-2082]: [Access & Identity] 36025: Cisco VPN remote access: XAUTH credentials and Certificate can be from different users
Fix [NUTM-2132]: [Access & Identity] 36064: Regeneration of VPN Signing CA doesn't work
Fix [NUTM-2451]: [Access & Identity] 36225: HTML5 portal RDP session to Windows 8.1 doesn't work
Fix [NUTM-2715]: [Access & Identity] 36312: RED15 responds to public DNS requests
Fix [NUTM-2817]: [Access & Identity] [BETA] Site2Site SSLVPN routes not used if more than 1 connection is up
Fix [NUTM-2850]: [Access & Identity] [BETA] Site2Site Problem - more connections
Fix [NUTM-896]: [Access & Identity] 34886: filter:FORWARD:rule will cause a conntrack entry without SYN
Fix [NUTM-501]: [Basesystem] 33039: SNMPd reports wrong mac address
Fix [NUTM-2746]: [Email] sandbox module generated many error log messages
Fix [NUTM-3038]: [Email] [BETA] Rescanning a mail after releasing from quarantine does not work
Fix [NUTM-3484]: [Email] SMTP Proxy does not start after update to 9.4 after takeover
Fix [NUTM-1170]: [HA/Cluster] 35285: repctl fails to start on slave node - can't use string ("reporting") as a HASH ref
Fix [NUTM-1737]: [HA/Cluster] 35814: UTM doesn't respond to arp requests after HA gets disabled
Fix [NUTM-3340]: [Network] ATP alerts can be caused by external UDP DNS traffic (can lead to massive amounts of ATP alerts)
Fix [NUTM-1770]: [RED] 35855: RED: Kernel crash - decompression failed: -22
Fix [NUTM-1952]: [RED] 25775: RED: add message to warn users if they add a MAC to the list which is used by RED
Fix [NUTM-2365]: [RED] 36159: High CPU load from confd caused by overflow on RED devices
Fix [NUTM-2676]: [RED] 36303: USB deployed RED10 devices loose their static wan config
Fix [NUTM-1067]: [WAF] 34447: Issue with WAF Rev. Auth. and OTP
Fix [NUTM-2368]: [WAF] 36061: Unable to upload attachements with IE to backend server via WAF
Fix [NUTM-2555]: [WAF] 36251: XSS vulnerability in mod_url_hardening
Fix [NUTM-2556]: [WAF] 36272: XSS vulnerability in mod_avscan
Fix [NUTM-2689]: [WAF] 36190: High swap usage caused by reverse proxy
Fix [NUTM-2809]: [WAF] 36373: Reverse authentication: AH01627: AuthType configured with no corresponding authorization directives
Fix [NUTM-3027]: [WAF] Random Confd message "Undefined subroutine register_logout_urls"
Fix [NUTM-3365]: [Web] Filename is not preserved for sandboxed file if Content-Disposition header is missing
Fix [NUTM-2141]: [WiFi] 35969: Sometimes inconsistent logging if a user is connected via hotspot
Fix [NUTM-2591]: [WiFi] 36278: Increase maximum number of access points (APs)
Fix [NUTM-3066]: [WiFi] AP10/30/50 reboot loop
Fix [NUTM-3355]: [WiFi] VLAN Fallback mechanism broken since 9.4
Fix [NUTM-3437]: [WiFi] Mesh broken on AP50 after upgrade to 9.4 SR

Hi Sebastian,

The thread you answered here was started on Dec 2015 with Firmware version 9.352 which faced the reported issue. Out of the blue I saw the thread today and replied that the issue is fixed in v9.356.

Coming to your question, can you please post on your original thread where we can have a single thread conversation.

Thanks

Hi Sachin,

in this thread, these were my questions:

1.) How do you know that, without gathering further information??? 

2.) And how can it be, that it is fixed in 9.356 and again in 9.401? So I assume it was not fixed in 9.356?

The other thread with an pretty similar topic is "ATP reporting source as external address".

Best Regards

Sebastian