Drop

BLUF: UDM-Pro firewall dropped suspicious internal traffic originating from 192.168.1.33. Device on local network attempted outbound or lateral communication that triggered IPS rules. Investigate 192.168.1.33 immediately for signs of compromise. DETAILS Trigger: Intrusion Prevention System (IPS) fired on UDM-Pro; action taken was DROP — traffic was blocked, not permitted Source IP: 192.168.1.33 — a device on the internal LAN segment; identity of device is unconfirmed at this time Direction: Internal — traffic originated inside the network perimeter, indicating a potentially compromised or misbehaving internal host Threat type: Classified as firewall/IPS event; specific signature, destination IP, destination port, and protocol are not confirmed in available data Single event detected — whether this is isolated or part of a pattern of activity from this host is unknown pending log review IMPACT Scope: Contained to internal network segment at time of detection; firewall action was DROP, meaning the specific traffic was blocked Affected asset: Device at 192.168.1.33 — identity unknown; could be workstation, IoT device, server, or guest device Risk: Internal origin is significant — if host is compromised, lateral movement to other LAN assets is possible regardless of this single block Broader context (unconfirmed relevance): Active threat landscape includes GlassWorm supply chain malware, HazyBeacon C2-over-AWS activity, and NTLMv2 hash theft via Windows Search URI — any of which could produce anomalous internal traffic patterns consistent with this event. No direct link to this event is confirmed. RECOMMENDED ACTIONS Identify 192.168.1.33 — check DHCP leases, ARP tables, or UDM-Pro client list to determine device type and owner immediately Pull full IPS logs from UDM-Pro for this event — capture destination IP, port, protocol, and full signature name before logs rotate Isolate the host — if device identity is confirmed, consider VLAN isolation or port block pending investigation Check for repeat events — query logs for any prior or subsequent traffic from 192.168.1.33 in the last 24–72 hours Run endpoint scan on identified device if accessible — prioritize EDR or AV scan given active supply chain and malware campaigns in current threat environment Do not dismiss as false positive until signature and destination are reviewed — internal-origin IPS drops warrant higher scrutiny than perimeter events SOURCES UDM-Pro IPS Event Log — FW DROP, internal direction, source 192.168.1.33 Threat context: The Hacker News (GlassWorm, HazyBeacon, NTLMv2 vulnerability reporting) ⚠️ Threat context items cited for situational awareness only — no confirmed connection to this event