Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Answers 3 answers
  • Subscribers 13 subscribers
  • Views 23148 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP reporting source as external address

Stephen Allmark

Can someone suggest why the ATP would report an infection coming from an external address ?

 

Thanks

 



This thread was automatically locked due to age.
  • 0

    I opened a trouble ticket with Sophos and soon got a reply:

    "I've been looking into this matter and can see multiple support cases raised recently regarding this same traffic, which I believe to be malicious traffic originating in Russia.

    There is no current threat or outbreak on your network to be concerned with, this alert is specifically indicating that the UTM is dropping this traffic, so there's no immediate network security reaction needed.
    If possible, enabling Country Blocking to drop Russian source connections would result in the same outcome (malicious traffic being dropped) but without generating the email alerts that you're seeing.
    Alternatively, in my experience this traffic has all been coming from one source IP so far, so creating a firewall rule to specifically drop traffic from the source IP 195.62.53.168 would also achieve the same result.

    I've also looked into why this particular traffic is triggering ATP alerts in the first place, I believe it's because the traffic is coming in on port 80, which as far as I've seen, is causing these alerts on all customer UTMs that have a DNAT rule allowing inbound traffic on port 80 from any source.
    This DNAT rule lets the malicious traffic in past the firewall, then it gets dropped by ATP.

    In either case the traffic is being dropped, but implementing either country blocking or a firewall drop rule will cause the traffic to be blocked silently without generating alerts.

    I hope this helps, please let me know your thoughts."

     

  • 0

    I also had the same ATP warnings last night and this morning. Same external IP 195.62.53.168 and lock.bz. I will be blocking this IP, as I can't block all of Russia, due to customers relations. This behavior started occurring after updating to the latest version (from 5 versions out).

  • 0 in reply to RyanDougherty

    I spent an hour yesterday via SSH on all of the UTMs I have permission to access.  Roughly half showed similar activity as described above.  Rather than a firewall rule as recommended by Support, I recommend a blackhole DNAT where the Destination in the Traffic Selector is a Network Group containing all of the "(Address)" objects on Interfaces with a default gateway.  Consult #2 in Rulz to understand why.  These are the commands I ran:

    zgrep 'dstip="195\.62\.53\.168' /var/log/packetfilter/2016/10/*
    zgrep '195\.62\.53\.168' /var/log/aptp/2016/10/*

    The first will show whether some device behind the UTM is trying to communicate with the bad IP.  The second shows whether Advanced Threat Protection stopped an attack from the bad IP.

    Cheers - Bob

     

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML