i'm having a bit of an "infestation" on a customer network that has lead the public IPs to be blocked on spamhaus CBL as they connected to conficker honeypots.
now this happened before UTM was installed...
Yesterday morning we insalled 9.203, activated ALL protection options(IPS with full ruleset for OS -no time shortening-, advanced botnet, webfilter with dual AV, below suspicious block, antispyware).
yet to my surprise i check CBL today and it has blocked the public ip AGAIN with access last night(post UTM), and UTM never detected anything!.
HTTP direct output is blocked, all browsing must go out via the http proxy
i checked the honeypot IP against the log and guess what?, passed...
/var/log/http/2014/06/http-2014-06-25.log.gz:2014:06:25-14:16:19 utm httpproxy[5552]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.215" dstip="216.66.15.109" user="" statuscode="404" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9f9eee0" url="216.66.15.109/search
/var/log/http/2014/06/http-2014-06-25.log.gz:2014:06:25-14:16:21 utm httpproxy[5552]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.3.215" dstip="216.66.15.109" user="" statuscode="404" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x2593f540" url="216.66.15.109/search
so, WHY is UTM not even detecting the infestation?, let alone blocking it as it should(with the new fabled "advanced threat protection" which at this point still says "all green OK").
it's not an obscure virus or botnet, it's a well-known scourge yet.. nothing!
This thread was automatically locked due to age.
