- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
We are experiencing an interesting phenomenon at our client
In several cases, we find that suspicious traffic leaves their internal server.
Unfortunately it is not clear whether this is a response traffic that is only an event displayed by smartlog or a real malicious traffic.
Please see the attached screenshots – sensitive data was masked.
Have you ever encountered something similar? Are we really dealing with malicious traffic?
Hi,
On the second log card i can see service:443 dst:your IP. So i assume 194.26.74.188 is trying to connect to your ip address on port 443. On the first log when 196.26.74.188 is using source port 443 and destination port some random high tcp port, it means the same to me. As i understan, reply packet from your ip address is being dropped by your IOC feed, which is correc because AFAIK onle outgoing traffic can be blocked by this feature. HTH.
Regards
Hi,
On the second log card i can see service:443 dst:your IP. So i assume 194.26.74.188 is trying to connect to your ip address on port 443. On the first log when 196.26.74.188 is using source port 443 and destination port some random high tcp port, it means the same to me. As i understan, reply packet from your ip address is being dropped by your IOC feed, which is correc because AFAIK onle outgoing traffic can be blocked by this feature. HTH.
Regards
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY