Results 1 to 1 of 1
  1. #1
    Untangler
    Join Date
    Nov 2016
    Location
    Phoenix, AZ
    Posts
    55

    Default email warning interpretation on suspicious activity

    Hi,

    I got an email warning from UT (NGFW) about a port 22 connection. See below.

    Is this telling me that the ssh connection from 203.159.80.150 to 158.51.95.35 was successful? The details have "bypassed = true" which is puzzling. What triggers a packet getting bypassed?

    If so, that is puzzling as I have a block on port 22 access other than a handful of authorized users.

    The rule I defined is to block any traffic to destination port 22. Is that all I need. To make sure it is handled sooner than the other rules, I just moved it near the top of the list.

    Thanks!

    --Ben


    Event: SessionEvent

    Event Time: 2021-03-13 08:19:24.793.

    Event Summary:
    Session [TCP] 203.159.80.250:28959 -> 158.51.95.35:22

    Event Details:
    bypassed = true
    c client addr = 203.159.80.250
    c client port = 28959
    c server addr = 158.51.95.35
    c server port = 22
    client intf = 1
    entitled = true
    hostname = 158.51.95.35
    local addr = 158.51.95.35
    policy id = 0
    protocol = 6
    protocol name = TCP
    remote addr = 203.159.80.250
    s client addr = 203.159.80.250
    s client port = 28959
    s server addr = 158.51.95.35
    s server port = 22
    server intf = 1
    session id = 105847512732690
    time stamp = 2021-03-13 08:19:24.793

    This is an automated message sent because this event matched Alerts Rule "Suspicious Activity: Client created many SSH sessions".
    Last edited by bconner; 03-13-2021 at 01:10 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2