Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
zsszlama
Explorer

Malicious traffic analysis

Jump to solution

We are experiencing an interesting phenomenon at our client

In several cases, we find that suspicious traffic leaves their internal server.

Unfortunately it is not clear whether this is a response traffic that is only an event displayed by smartlog or a real malicious traffic.

Please see the attached screenshots – sensitive data was masked.

Have you ever encountered something similar? Are we really dealing with malicious traffic?

screen1-b.png

 

screen3-b.png

 

screen4-b.png

 

0 Kudos
1 Solution

Accepted Solutions
RS_Daniel
Advisor

Hi,

On the second log card i can see service:443 dst:your IP. So i assume 194.26.74.188 is trying to connect to your ip address on port 443. On the first log when 196.26.74.188 is using source port 443 and destination port some random high tcp port, it means the same to me. As i understan, reply packet from your ip address is being dropped by your IOC feed, which is correc because AFAIK onle outgoing traffic can be blocked by this feature. HTH.

Regards

View solution in original post

0 Kudos
1 Reply
RS_Daniel
Advisor

Hi,

On the second log card i can see service:443 dst:your IP. So i assume 194.26.74.188 is trying to connect to your ip address on port 443. On the first log when 196.26.74.188 is using source port 443 and destination port some random high tcp port, it means the same to me. As i understan, reply packet from your ip address is being dropped by your IOC feed, which is correc because AFAIK onle outgoing traffic can be blocked by this feature. HTH.

Regards

0 Kudos