08-23-2017 04:19 AM - edited 03-08-2019 05:44 PM
Hello,
I find on this doc https://www.cisco.com/c/en/us/support/docs/security/sourcefire-amp-appliances/118121-technote-sourcefire-00.html URL to open for AMP for Endpoint operations.
After deploying my configuration my AMP connector is still disconnected and when I try to sync the policy I see these outputs in my capture-traffic :
11:17:07.149991 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 1500)
ec2-46-137-99-242.eu-west-1.compute.amazonaws.com.https > crc1.dom-opac45.fr.1269: Flags [.], cksum 0xefe7 (correct), seq 4452:5912, ack 286, win 65535, length 1460
11:17:07.149994 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 374)
ec2-46-137-99-242.eu-west-1.compute.amazonaws.com.https > crc1.dom-opac45.fr.1269: Flags [.], cksum 0x403d (correct), seq 5912:6246, ack 286, win 65535, length 334
11:17:07.150765 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 378)
ec2-46-137-99-242.eu-west-1.compute.amazonaws.com.https > crc1.dom-opac45.fr.1269: Flags [.], cksum 0x535b (correct), seq 6246:6584, ack 286, win 65535, length 338
11:17:07.150774 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 49)
ec2-46-137-99-242.eu-west-1.compute.amazonaws.com.https > crc1.dom-opac45.fr.1269: Flags [.], cksum 0x1aca (correct), seq 6584:6593, ack 286, win 65535, length 9
11:17:07.151181 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 40)
crc1.dom-opac45.fr.1269 > ec2-46-137-99-242.eu-west-1.compute.amazonaws.com.https: Flags [R], cksum 0x37e7 (correct), seq 1297440847, win 65535, length 0
So it seems that AMP try to communicate directly with fqdn *compute.amazonaws.com.https ?