Endpoint Protection

 View Only

  • 1.  NTP event meaning.

    Posted Mar 14, 2014 05:51 PM

    Risk Detected

     

    Event Time:

    03-14-2014 17:35:57

    Begin Time:

    03-14-2014 17:34:55

    End Time:

    03-14-2014 17:35:45

    Occurrence:

    12

    Event Type:

    UDP datagram

    Severity:

    Major

    Action:

    Not blocked

    Application Name:

    C:/WINDOWS/system32/svchost.exe

    Network Protocol:

    UDP

    Traffic Direction:

    Inbound

    Remote IP:

    4.4.4.4

    Remote Host Name:

    ****.abc.com

    Alert:

    0

    Local Port:

    1900

    Remote Port:

    53772

    Rule Name:

    Outbound Allowed

    I just wanted to know meaning of above event under NTP -> Traffic logs monitoring tab on SEPM.

    What should I take action for it. Is any generic docs to know more about NTP logs action taken.

    thanks,

    Mangesh Salunkhe



  • 2.  RE: NTP event meaning.

    Posted Mar 18, 2014 12:59 PM

    its all pretty self explainatory, are you looking for anything in particular?



  • 3.  RE: NTP event meaning.

    Broadcom Employee
    Posted Mar 18, 2014 12:59 PM

    fine tune the rule "Outbound Allowed" and comfigure which traffic needs to be allowed/blocked

     

    note 4.4,4.4 information is http://whois.domaintools.com/4.4.4.4

     



  • 4.  RE: NTP event meaning.

    Posted Mar 29, 2014 07:57 AM

    I wanted to to if svchost.exe process & its NOT BLOCKED & in SEVERITY. what action should I take.



  • 5.  RE: NTP event meaning.

    Posted Mar 29, 2014 02:21 PM

    There are quite a few services that run under the svchost.exe container.

    So we need to figure out  which his service for which the svchost.exe is getting blocked.

    Take netstat -ano output and see which is the exe that listening on port 1900 and PID

    Now take a output of tasklist /svc and get the PID to specfic service that is getting blocked.

    Based on that we can take a call if the event is valid or not.