A lot of traffic on port 443 (https) to ip 65.52.98.231

Reply
Highlighted
L4 Transporter

A lot of traffic on port 443 (https) to ip 65.52.98.231

Hello,

I have a lot connections from my firewall to public IP addresses 65.52.98.231 port 443.

Our SIEM correlated events and generating the following offense:

    Event Name:    Excessive Firewall Accepts From Multiple Sources to a Single Destination

    Low Level Category:    Firewall Permit

    Event Description:    Excessive Firewall Accepts were detected from multiple hosts to a single destination.  More than 100 events were detected from at least 100 unique source IP addresses in 5 minutes. This is common in large organization where the destination is a common web server like Google or a software update site, however connections to unknown hosts should be investigated.

    Paloalto event:

<14>Jul  1 06:14:52 1,2014/07/01 06:14:52,0003C102046,TRAFFIC,end,0,2014/07/01 06:14:51,XX.XX.XX.XX,65.52.98.231,XXX.X.XX.XX,65.52.98.231,usuarisInet,oa\segXX,,ms-product-activation,vsys1,Trust,Untrust,ethernet1/2,ethernet1/3,ACUNTIA,2014/07/01 06:14:51,238570,1,49266,443,19777,443,0x400000,tcp,allow,59379,38092,21287,69,2014/07/01 06:14:13,9,computer-and-internet-info,0,328805147,0x0,10.0.0.0-10.255.255.255,United States,0,39,30�

*Event     3772 events

http://forums.mydigitallife.info/threads/41010-KMSEmulator-KMS-Client-and-Server-Emulation-Source/pa...

Legal/illegal KMS activation. Any idea?

Could someone confirm these are bad and OK, to block?

...and another more:

IP addresses 134.170.184.137 port 80.

https://www.virustotal.com/es/ip-address/134.170.184.137/information/

https://malwr.com/analysis/NTk4N2E3N2Q2NjUzNGI1OGIzYzE1Mzc0OWI1MWQ2ODc/

IP addresses 134.170.189.4 port 80.

https://www.virustotal.com/es/ip-address/134.170.189.4/information/

https://malwr.com/analysis/ZTUxZmZlYzg3MmZkNDdmMDkyNWI2YmRlMzdmZjg0YmU/

IP addresses 64.4.11.25 port 80.

https://www.virustotal.com/es/ip-address/64.4.11.25/information/

Malwr - Malware Analysis by Cuckoo Sandbox

Regards and thanks,

Diego C:smileyconfused:

Highlighted
L6 Presenter

Re: A lot of traffic on port 443 (https) to ip 65.52.98.231

Hi COS,

65.52.98.231 is IP address of co2.sls.microsoft.com, hence it has to be genuine, give me some more time for further research.


Regards,

Hardik Shah

Highlighted
L6 Presenter

Re: A lot of traffic on port 443 (https) to ip 65.52.98.231

Hello COS,

5 Microsoft services are hosted on IP address in question. These services are used for activation and update stuff. Refer Bellow mentioned link.

https://www.robtex.com/dns/co2.sls.microsoft.com.html

Traffic log says application is "ms-product-activation". Hence I believe some of the applications are trying to activate itself.

Collect source IP addresses and provide it to system team to find out root cause of simultaneous activation logs.

Bottom line is its not a threat, its genuine traffic.

Even SIEM says Excessive session, not malicious session. Its just an alert to administrator, so he can varify if destination is malicious[torrent/bot/etc].

Regards,

Hardik Shah

Highlighted
L6 Presenter

Re: A lot of traffic on port 443 (https) to ip 65.52.98.231

Hello COS,

Please find WHOIS for new 3 IP addresses, they all belongs to Microsoft.

http://www.whois.com/whois/64.4.11.25

http://www.whois.com/whois/134.170.189.4

http://www.whois.com/whois/64.4.11.25

Moreover, virustotal result based on IP address doesnt prove any thing. Nobody can confirm if connections were malicious. In virus total results also most of the anti-virus are not detecting it as a virus.

Regards,

Hardik Shah

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!