I have a lot connections from my firewall to public IP addresses 126.96.36.199 port 443.
Our SIEM correlated events and generating the following offense:
Event Name: Excessive Firewall Accepts From Multiple Sources to a Single Destination
Low Level Category: Firewall Permit
Event Description: Excessive Firewall Accepts were detected from multiple hosts to a single destination. More than 100 events were detected from at least 100 unique source IP addresses in 5 minutes. This is common in large organization where the destination is a common web server like Google or a software update site, however connections to unknown hosts should be investigated.
<14>Jul 1 06:14:52 1,2014/07/01 06:14:52,0003C102046,TRAFFIC,end,0,2014/07/01 06:14:51,XX.XX.XX.XX,188.8.131.52,XXX.X.XX.XX,184.108.40.206,usuarisInet,oa\segXX,,ms-product-activation,vsys1,Trust,Untrust,ethernet1/2,ethernet1/3,ACUNTIA,2014/07/01 06:14:51,238570,1,49266,443,19777,443,0x400000,tcp,allow,59379,38092,21287,69,2014/07/01 06:14:13,9,computer-and-internet-info,0,328805147,0x0,10.0.0.0-10.255.255.255,United States,0,39,30�
*Event 3772 events
Legal/illegal KMS activation. Any idea?
Could someone confirm these are bad and OK, to block?
...and another more:
IP addresses 220.127.116.11 port 80.
IP addresses 18.104.22.168 port 80.
IP addresses 22.214.171.124 port 80.
Regards and thanks,
126.96.36.199 is IP address of co2.sls.microsoft.com, hence it has to be genuine, give me some more time for further research.
5 Microsoft services are hosted on IP address in question. These services are used for activation and update stuff. Refer Bellow mentioned link.
Traffic log says application is "ms-product-activation". Hence I believe some of the applications are trying to activate itself.
Collect source IP addresses and provide it to system team to find out root cause of simultaneous activation logs.
Bottom line is its not a threat, its genuine traffic.
Even SIEM says Excessive session, not malicious session. Its just an alert to administrator, so he can varify if destination is malicious[torrent/bot/etc].
Please find WHOIS for new 3 IP addresses, they all belongs to Microsoft.
Moreover, virustotal result based on IP address doesnt prove any thing. Nobody can confirm if connections were malicious. In virus total results also most of the anti-virus are not detecting it as a virus.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!