Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 6421 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[9.352-6]ATP alert from external address of something??

IanMorehouse

This one has me puzzled? How does the ATP determine that an external site is talking to a bad site?

C2/Kuluoz-a SID:(26677)

The address might be the ISP gateway.but is most certainly not used by UTM?

Ian



This thread was automatically locked due to age.
Parents

  • Fixed in 9.356.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • in reply to sachingurung

    Sachin,

     

    How do you know that, without gathering further information??? 

     

    My answer in the other thread:

    Hi,

     

    I get the same message (in v9.407 !! ) since yesterday, 25.10. But in my opinion it is not related to this bug ID (Fix [NUTM-3340]: [Network] ATP alerts can be caused by external UDP DNS traffic (can lead to massive amounts of ATP alerts)), but it is more likely a different bug.

    I see, that this IP Address tries to connect to various servers in my dmz. Maybe a harvest scan or sth. similar. But it is only trying port 80. The src ip address is listed in some abuse lists.. So my analysis would be, a malicious ip address communicates with a machine behind the firewall. The afc should normally alert in this case, because the traffic originiates from an external network.... Why we get an alert? Only Sophos knows about it....

     

    Regards

    Sebastian

     

    UPDATE: 

    Sorry, I must correct my statement. I get a different Threat Name, it is: Threat name....: C2/Generic-A.

     

    But the general question (how do you know) is still there...

  • in reply to seroal

    Hi Sebastian,

    The thread you answered here was started on Dec 2015 with Firmware version 9.352 which faced the reported issue. Out of the blue I saw the thread today and replied that the issue is fixed in v9.356.

    Coming to your question, can you please post on your original thread where we can have a single thread conversation.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • in reply to seroal

    Hi Sebastian,

    The thread you answered here was started on Dec 2015 with Firmware version 9.352 which faced the reported issue. Out of the blue I saw the thread today and replied that the issue is fixed in v9.356.

    Coming to your question, can you please post on your original thread where we can have a single thread conversation.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children
  • in reply to sachingurung

    Hi Sachin,

     

    in this thread, these were my questions:

     

    1.) How do you know that, without gathering further information??? 

    2.) And how can it be, that it is fixed in 9.356 and again in 9.401? So I assume it was not fixed in 9.356?

     

    The other thread with an pretty similar topic is "ATP reporting source as external address".

     

    Best Regards

    Sebastian

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML