08-25-2020 05:00 PM
A very high quantity of botnet false alerts being reported on our appliance. Using 9.1.3.
Botnet report alerts as noted below:
Repeatedly visited (10) the same URL 216.58.199.36/
Repeatedly visited (30) the same URL 142.250.66.164/
Repeatedly visited (69) the same URL 142.250.67.4
Visited malware URL tdsjsext1.life/ExtService.svc/getextparams .
216.58.203.100 resolves to app-id “google-base”/443
If you check the above IP addresses, you will see a common factor, it looks like this is normal behaviour for Googles ad platform?
How to fix this issue?
08-26-2020 06:28 AM
The botnet reports anything that is connecting directly to an IP address instead of an FQDN; while this is common in Ad networks, the firewall doesn't maintain a list of IPs that is "common" to be connecting directly due to these bad practices. The only thing that is really saying is that someone connected directly to an IP address, and doing so can be an indication of an issue.
08-26-2020 09:22 PM
Hi @BPry
The entire list looks like web browsing (unified logs showing as such?) and as a result the botnet alerts are incorrect. Surely this is not normal behaviour?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
