07-07-2014 12:54 AM
Hello,
I have a lot connections from my firewall to public IP addresses 65.52.98.231 port 443.
Our SIEM correlated events and generating the following offense:
Event Name: Excessive Firewall Accepts From Multiple Sources to a Single Destination
Low Level Category: Firewall Permit
Event Description: Excessive Firewall Accepts were detected from multiple hosts to a single destination. More than 100 events were detected from at least 100 unique source IP addresses in 5 minutes. This is common in large organization where the destination is a common web server like Google or a software update site, however connections to unknown hosts should be investigated.
Paloalto event:
<14>Jul 1 06:14:52 1,2014/07/01 06:14:52,0003C102046,TRAFFIC,end,0,2014/07/01 06:14:51,XX.XX.XX.XX,65.52.98.231,XXX.X.XX.XX,65.52.98.231,usuarisInet,oa\segXX,,ms-product-activation,vsys1,Trust,Untrust,ethernet1/2,ethernet1/3,ACUNTIA,2014/07/01 06:14:51,238570,1,49266,443,19777,443,0x400000,tcp,allow,59379,38092,21287,69,2014/07/01 06:14:13,9,computer-and-internet-info,0,328805147,0x0,10.0.0.0-10.255.255.255,United States,0,39,30�
*Event 3772 events
Legal/illegal KMS activation. Any idea?
Could someone confirm these are bad and OK, to block?
...and another more:
IP addresses 134.170.184.137 port 80.
https://www.virustotal.com/es/ip-address/134.170.184.137/information/
https://malwr.com/analysis/NTk4N2E3N2Q2NjUzNGI1OGIzYzE1Mzc0OWI1MWQ2ODc/
IP addresses 134.170.189.4 port 80.
https://www.virustotal.com/es/ip-address/134.170.189.4/information/
https://malwr.com/analysis/ZTUxZmZlYzg3MmZkNDdmMDkyNWI2YmRlMzdmZjg0YmU/
IP addresses 64.4.11.25 port 80.
https://www.virustotal.com/es/ip-address/64.4.11.25/information/
Malwr - Malware Analysis by Cuckoo Sandbox
Regards and thanks,
Diego C:smileyconfused:
07-07-2014 01:14 AM
Hello COS,
5 Microsoft services are hosted on IP address in question. These services are used for activation and update stuff. Refer Bellow mentioned link.
https://www.robtex.com/dns/co2.sls.microsoft.com.html
Traffic log says application is "ms-product-activation". Hence I believe some of the applications are trying to activate itself.
Collect source IP addresses and provide it to system team to find out root cause of simultaneous activation logs.
Bottom line is its not a threat, its genuine traffic.
Even SIEM says Excessive session, not malicious session. Its just an alert to administrator, so he can varify if destination is malicious[torrent/bot/etc].
Regards,
Hardik Shah
07-07-2014 02:31 AM
Hello COS,
Please find WHOIS for new 3 IP addresses, they all belongs to Microsoft.
http://www.whois.com/whois/64.4.11.25
http://www.whois.com/whois/134.170.189.4
http://www.whois.com/whois/64.4.11.25
Moreover, virustotal result based on IP address doesnt prove any thing. Nobody can confirm if connections were malicious. In virus total results also most of the anti-virus are not detecting it as a virus.
Regards,
Hardik Shah
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
