topic Re: False positive alerts in General Topics

False positive alerts

FarzanaMustafa — Wed, 26 Aug 2020 00:00:40 GMT

A very high quantity of botnet false alerts being reported on our appliance. Using 9.1.3.

Botnet report alerts as noted below:

Repeatedly visited (10) the same URL 216.58.199.36/

Repeatedly visited (30) the same URL 142.250.66.164/

Repeatedly visited (69) the same URL 142.250.67.4

Visited malware URL tdsjsext1.life/ExtService.svc/getextparams .

216.58.203.100 resolves to app-id “google-base”/443

If you check the above IP addresses, you will see a common factor, it looks like this is normal behaviour for Googles ad platform?

How to fix this issue?

Re: False positive alerts

BPry — Wed, 26 Aug 2020 13:28:49 GMT

@FarzanaMustafa,

The botnet reports anything that is connecting directly to an IP address instead of an FQDN; while this is common in Ad networks, the firewall doesn't maintain a list of IPs that is "common" to be connecting directly due to these bad practices. The only thing that is really saying is that someone connected directly to an IP address, and doing so can be an indication of an issue.

Re: False positive alerts

FarzanaMustafa — Thu, 27 Aug 2020 04:22:20 GMT

Hi @BPry

The entire list looks like web browsing (unified logs showing as such?) and as a result the botnet alerts are incorrect. Surely this is not normal behaviour?