07-04-2020 09:15 AM
Hi Live community,
recently when investigating a false positive C&C threat blocked from "shodan malware hunter" I was pleased to see others had posted into this community about this. In the past 24 hrs we have 2 SIEM alerts for C&C outside to publically presented hosts from 45.9.148.91. Anyone else seeing this behaviour ?
PAN did reset both but I am considering a block rule, but of course the src IP could change at any time.
IP is on some blacklists:
xbl.spamhaus.org has blacklisted this IP.
zen.spamhaus.org has blacklisted this IP.
and appears to slowly, be carrying out reconnaissance on our public IP space.
KR,
Lee
07-06-2020 01:53 PM
Hello,
I try to keep things dynamic and self learning. Meaning I stay away from IP's since they change too fast. Since a EBL has it, i say let it run with it. Also I would enable sending telemetry back to Palo Alto so they can update their definitions so we dont have to :).
Hope that makes sense.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
