A very high quantity of botnet false alerts being reported on our appliance. Using 9.1.3.
Botnet report alerts as noted below:
Repeatedly visited (10) the same URL 220.127.116.11/
Repeatedly visited (30) the same URL 18.104.22.168/
Repeatedly visited (69) the same URL 22.214.171.124
Visited malware URL tdsjsext1.life/ExtService.svc/getextparams .
126.96.36.199 resolves to app-id “google-base”/443
If you check the above IP addresses, you will see a common factor, it looks like this is normal behaviour for Googles ad platform?
How to fix this issue?
The botnet reports anything that is connecting directly to an IP address instead of an FQDN; while this is common in Ad networks, the firewall doesn't maintain a list of IPs that is "common" to be connecting directly due to these bad practices. The only thing that is really saying is that someone connected directly to an IP address, and doing so can be an indication of an issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!