Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LuisSP
Contributor

False positive with IPS and AntiBot? Confidence=HIGH, Medium

Appliance 1490, r77.20.87 Build 990172966
Blades: FW, AppCtrl, URLF, ABOT, AV, IPS, RAccs and SSL Inspect
Locally Managed

1. Yesterday (2020-may-07) I did receive a notification in WachTower from FW about a BOT event.
2. Internal host suppostly infected was hostA
3. External threat host was 13.107.136.9
4. Reviewing logs I found communications attempts since May 7, logged by IPS blade
5. Hours later, there is a log by AppCtrl allow and identifying app Sharepoint-online on ip 13.107.136.9, that's correct.
6. Then… was a log by Https Inspect with a Revoked Certificate or invalid CRL in connection to sharepoint.com (13.107.136.9).
7. Again others logs by IPS equal to point 4.
8. Yesterday (may-08) there is a log by AppCtrl allowing eBay app with traffic to ip 13.107.136.9!!!! What? Resource on such log can be readed as https://hostXYZ.sharepoint.com/...... What was this confusion about? Or what am I misinterpreting? (Doubt )
9. After, there are logs by IPS and AppCtrl with same data.
10. Suddenly appear a log by ABot with same resource of point 8 but identifying a client type MicrosoftSkydriveSync.
11. Since then, there are logs by FW blade. The strange thing about these logs is that despite the fact that the traffic originated from the internal host to the external one, it is the incoming rules that are generating it. (Doubt)


Why was the appliance confused in properly diagnosing the correct application (OneDrive, no eBay) and why did it take so long to do so? Is it a common latency?

Why a incoming rule do such logs (point 11) with connection traffic originated from internal host (outgoing traffic)?

Why IPS alerted with a confidence level HIGH detecting GBU BASH threat with HostA, but HostA is a Windows host?

I know, there are so much doubts, words and lack of knowledge, I am reading guides but please, help me with this  issue.

 

I'm thinking about a false positive... but I don't be sure. 

Thanks.

001-ips001-ips002-AppC002-AppC003003004-004-005-AppC-eBay????005-AppC-eBay????007-AppC-eBay again007-AppC-eBay again008-ABot008-ABot009-outgoing traffice loggued by incoming rules?009-outgoing traffice loggued by incoming rules?010-AppC bye eBay, now OneDrive010-AppC bye eBay, now OneDriveNotification of infectionNotification of infection

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

False positives do happen from time to time.
Best to engage the TAC here so we can understand (and fix).
0 Kudos