False positive alerts

Reply
L4 Transporter

False positive alerts

A very high quantity of botnet false alerts being reported on our appliance. Using 9.1.3.

 

Botnet report alerts as noted below:

 

Repeatedly visited (10) the same URL 216.58.199.36/

Repeatedly visited (30) the same URL 142.250.66.164/

Repeatedly visited (69) the same URL 142.250.67.4

 

Visited malware URL tdsjsext1.life/ExtService.svc/getextparams .

216.58.203.100 resolves to app-id “google-base”/443

If you check the above IP addresses, you will see a common factor, it looks like this is normal behaviour for Googles ad platform?

 

How to fix this issue?

Cyber Elite

@FarzanaMustafa,

The botnet reports anything that is connecting directly to an IP address instead of an FQDN; while this is common in Ad networks, the firewall doesn't maintain a list of IPs that is "common" to be connecting directly due to these bad practices. The only thing that is really saying is that someone connected directly to an IP address, and doing so can be an indication of an issue.

L4 Transporter

Hi @BPry 

 

The entire list looks like web browsing (unified logs showing as such?) and as a result the botnet alerts are incorrect. Surely this is not normal behaviour?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!