Jump to content
Welcome to our new Citrix community!

Suspicious traffic from SNIP

Marcel Zunnebeld

Recommended Posts


At a customer we see in the monitoring that from the SNIP address of the NetScaler Gnutella traffic is detected to what appears to be a Paypal site (
(See attached file).
How can I find out which IP the original request is coming from? Maybe with a trace, but I don't know exactly when it occurs. Can it be found in a NetScaler log, if so, in which one? Or does additional logging have to be enabled for that? 


Thanks in advance!



Link to comment
Share on other sites

You could use an nstrace with a filter expression for the SNIP (or outbound destination IP) and the "filter connection's peer traffic" aka -link enabled (if at cli).

To see if it will also identify VIP and source IP traffic for what is happening now. 


For additional logging, TCP connection logging could be enabled in syslog (but you will get a lot off info) but it would let you see all tcp transactions for more info as you narrow this down.  Go to your syslog settings: System > Auditing. Right-pane. Edit syslog settings for local logging OR edit a syslog policy action for an external log destination. But you will get a lot of data and frequent log rollover while TCP Logging is enabled.  https://support.citrix.com/article/CTX134939 (some info)


You also may want to check your firmware and look for security issues that might not have been patched because your question is whether this is a config/traffic flow issue OR something else.  If you know which vserver is in use, you can do some additional logging.  You might want to check with support if you think it is a vulnerability.

  • Like 2
Link to comment
Share on other sites

Hi Rhonda, thanks for your message.
The firmware version of these NetScalers is version 13.0-83.27 (including the extra setting for MaxClients=30 set in the rc.netscaler)
I'll see if I can get more information with the syslog settings, otherwise i will run a trace, with SNIP as source.

How can I save the ns.log file before it is overwritten with new information?



Link to comment
Share on other sites

Current syslog is located in /var/log/ns.log and past log files will be /var/log/ns.log.##.gz.


By default, the system rolls over every 2 hours or every 100K; and keeps the last 25 (or so in the /var/log directory).

You can manually export these if you think the local rollover isn't sufficient.


You can also configure a syslog audit policy to log to an external location and use the external server to maintain logs for a longer period of time.  



Link to comment
Share on other sites

  • 1 month later...
  • 1 year later...

Hello Marcel, Sorry for the late arrival to this post - I too seem to have run across this issue as well and came here after Googling some. Were you able to find resolution to this? 


It's very strange, and even with the settings for trace that others have suggested, I find that the traffic it's coming from my SNIP and nowhere else unless I'm missing something. The only thing that comes to mind with regards to the address in question, a consultant setup a  'dummy' IP address for a keep-alive LB service that will go out to the dummy address, eg port 80. Every now and then our security provider would see RDP or Gnutella traffic going out to that address despite that our FW logs show nothing of the sort. 

Screenshot 2023-12-28 141102.png

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...