i have just received an e-mail from the UTM advising of an ATP event. The log also shows the same event.
But there is nothing to show the internal destination address.
The following is from the e-mail message.
2015:01:24-14:25:02 cats-kingdom afcd[22855]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="92.42.36.58" dstip="114.198.43.220" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="199.26.84.175" url="-" action="drop"
"Advanced Threat Protection
A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name....: C2/Generic-A
Details........: C2/Generic-A - Viruses and Spyware - Web Threat, Virus and Spyware Detection and Removal | Sophos - Threat Center - Cloud Antivirus, Endpoint, UTM, Encryption, Mobile, DLP, Server, Web, Wireless Security, Network Storage and Next-Gen Firewall Solutio
Time...........: 2015-01-24 14:25:02
Traffic blocked: yes
Internal source IP address or host: 92.42.36.58"
Anyone with an idea as to where to look for the internal IP address?
Ian
And there is more - the webadmin shows a different address.
Just add moire mystery to the posting, both active devices on the network are MACs running 10.10.x. According to Sophos, this is a Wx nasty only.
1st Feb 15 - forgot that i have a smb ms2012 server running in the vm with the UTM and SUM.
This thread was automatically locked due to age.
