topic Re: A lot of traffic on port 443 (https) to ip 65.52.98.231 in General Topics

A lot of traffic on port 443 (https) to ip 65.52.98.231

SOC_CSG — Mon, 07 Jul 2014 07:54:46 GMT

Hello,

I have a lot connections from my firewall to public IP addresses 65.52.98.231 port 443.

Our SIEM correlated events and generating the following offense:

Event Name: Excessive Firewall Accepts From Multiple Sources to a Single Destination

Low Level Category: Firewall Permit

Event Description: Excessive Firewall Accepts were detected from multiple hosts to a single destination. More than 100 events were detected from at least 100 unique source IP addresses in 5 minutes. This is common in large organization where the destination is a common web server like Google or a software update site, however connections to unknown hosts should be investigated.

Paloalto event:

<14>Jul 1 06:14:52 1,2014/07/01 06:14:52,0003C102046,TRAFFIC,end,0,2014/07/01 06:14:51,XX.XX.XX.XX,65.52.98.231,XXX.X.XX.XX,65.52.98.231,usuarisInet,oa\segXX,,ms-product-activation,vsys1,Trust,Untrust,ethernet1/2,ethernet1/3,ACUNTIA,2014/07/01 06:14:51,238570,1,49266,443,19777,443,0x400000,tcp,allow,59379,38092,21287,69,2014/07/01 06:14:13,9,computer-and-internet-info,0,328805147,0x0,10.0.0.0-10.255.255.255,United States,0,39,30�

*Event 3772 events

http://forums.mydigitallife.info/threads/41010-KMSEmulator-KMS-Client-and-Server-Emulation-Source/page180

Legal/illegal KMS activation. Any idea?

Could someone confirm these are bad and OK, to block?

...and another more:

IP addresses 134.170.184.137 port 80.

https://www.virustotal.com/es/ip-address/134.170.184.137/information/

https://malwr.com/analysis/NTk4N2E3N2Q2NjUzNGI1OGIzYzE1Mzc0OWI1MWQ2ODc/

IP addresses 134.170.189.4 port 80.

https://www.virustotal.com/es/ip-address/134.170.189.4/information/

https://malwr.com/analysis/ZTUxZmZlYzg3MmZkNDdmMDkyNWI2YmRlMzdmZjg0YmU/

IP addresses 64.4.11.25 port 80.

https://www.virustotal.com/es/ip-address/64.4.11.25/information/

Malwr - Malware Analysis by Cuckoo Sandbox

Regards and thanks,

Diego C:smileyconfused:

Re: A lot of traffic on port 443 (https) to ip 65.52.98.231

hshah — Mon, 07 Jul 2014 07:56:58 GMT

Hi COS,

65.52.98.231 is IP address of co2.sls.microsoft.com, hence it has to be genuine, give me some more time for further research.

Regards,

Hardik Shah

Re: A lot of traffic on port 443 (https) to ip 65.52.98.231

hshah — Mon, 07 Jul 2014 08:14:40 GMT

Hello COS,

5 Microsoft services are hosted on IP address in question. These services are used for activation and update stuff. Refer Bellow mentioned link.

https://www.robtex.com/dns/co2.sls.microsoft.com.html

Traffic log says application is "ms-product-activation". Hence I believe some of the applications are trying to activate itself.

Collect source IP addresses and provide it to system team to find out root cause of simultaneous activation logs.

Bottom line is its not a threat, its genuine traffic.

Even SIEM says Excessive session, not malicious session. Its just an alert to administrator, so he can varify if destination is malicious[torrent/bot/etc].

Regards,

Hardik Shah

Re: A lot of traffic on port 443 (https) to ip 65.52.98.231

hshah — Mon, 07 Jul 2014 09:31:29 GMT

Hello COS,

Please find WHOIS for new 3 IP addresses, they all belongs to Microsoft.

http://www.whois.com/whois/64.4.11.25

http://www.whois.com/whois/134.170.189.4

http://www.whois.com/whois/64.4.11.25

Moreover, virustotal result based on IP address doesnt prove any thing. Nobody can confirm if connections were malicious. In virus total results also most of the anti-virus are not detecting it as a virus.

Regards,

Hardik Shah