https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-traffic-analysis/m-p/144170#M22418 <P>We are experiencing an interesting phenomenon at our client</P><P>In several cases, we find that suspicious traffic leaves their internal server.</P><P>Unfortunately it is not clear whether this is a response traffic that is only an event displayed by smartlog or a real malicious traffic.</P><P>Please see the attached screenshots – sensitive data was masked.</P><P>Have you ever encountered something similar? Are we really dealing with malicious traffic?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="screen1-b.png" style="width: 993px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15776iDE59B19E2B0E5ECA/image-size/large?v=v2&amp;px=999" role="button" title="screen1-b.png" alt="screen1-b.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="screen3-b.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15774i45FF3351522867AA/image-size/large?v=v2&amp;px=999" role="button" title="screen3-b.png" alt="screen3-b.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="screen4-b.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15775i3D6D3A30792A9A24/image-size/large?v=v2&amp;px=999" role="button" title="screen4-b.png" alt="screen4-b.png" /></span></P><P>&nbsp;</P> Fri, 18 Mar 2022 14:29:59 GMT zsszlama 2022-03-18T14:29:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-traffic-analysis/m-p/144170#M22418 <P>We are experiencing an interesting phenomenon at our client</P><P>In several cases, we find that suspicious traffic leaves their internal server.</P><P>Unfortunately it is not clear whether this is a response traffic that is only an event displayed by smartlog or a real malicious traffic.</P><P>Please see the attached screenshots – sensitive data was masked.</P><P>Have you ever encountered something similar? Are we really dealing with malicious traffic?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="screen1-b.png" style="width: 993px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15776iDE59B19E2B0E5ECA/image-size/large?v=v2&amp;px=999" role="button" title="screen1-b.png" alt="screen1-b.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="screen3-b.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15774i45FF3351522867AA/image-size/large?v=v2&amp;px=999" role="button" title="screen3-b.png" alt="screen3-b.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="screen4-b.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15775i3D6D3A30792A9A24/image-size/large?v=v2&amp;px=999" role="button" title="screen4-b.png" alt="screen4-b.png" /></span></P><P>&nbsp;</P> Fri, 18 Mar 2022 14:29:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-traffic-analysis/m-p/144170#M22418 zsszlama 2022-03-18T14:29:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-traffic-analysis/m-p/144174#M22420 <P>Hi,</P><P>On the second log card i can see service:443 dst:your IP. So i assume 194.26.74.188 is trying to connect to your ip address on port 443. On the first log when 196.26.74.188 is using source port 443 and destination port some random high tcp port, it means the same to me. As i understan, reply packet from your ip address is being dropped by your IOC feed, which is correc because AFAIK onle outgoing traffic can be blocked by this feature. HTH.</P><P>Regards</P> Fri, 18 Mar 2022 15:34:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Malicious-traffic-analysis/m-p/144174#M22420 RS_Daniel 2022-03-18T15:34:22Z