This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
zsszlama
Explorer
‎2022-03-18 07:29 AM

Malicious traffic analysis

Jump to solution

We are experiencing an interesting phenomenon at our client

In several cases, we find that suspicious traffic leaves their internal server.

Unfortunately it is not clear whether this is a response traffic that is only an event displayed by smartlog or a real malicious traffic.

Please see the attached screenshots – sensitive data was masked.

Have you ever encountered something similar? Are we really dealing with malicious traffic?

screen1-b.png

 

screen3-b.png

 

screen4-b.png

 

0 Kudos
1 Solution

Accepted Solutions
RS_Daniel
Advisor
‎2022-03-18 08:34 AM

Jump to solution

Hi,

On the second log card i can see service:443 dst:your IP. So i assume 194.26.74.188 is trying to connect to your ip address on port 443. On the first log when 196.26.74.188 is using source port 443 and destination port some random high tcp port, it means the same to me. As i understan, reply packet from your ip address is being dropped by your IOC feed, which is correc because AFAIK onle outgoing traffic can be blocked by this feature. HTH.

Regards

View solution in original post

0 Kudos
1 Reply
RS_Daniel
Advisor
‎2022-03-18 08:34 AM

Jump to solution

Hi,

On the second log card i can see service:443 dst:your IP. So i assume 194.26.74.188 is trying to connect to your ip address on port 443. On the first log when 196.26.74.188 is using source port 443 and destination port some random high tcp port, it means the same to me. As i understan, reply packet from your ip address is being dropped by your IOC feed, which is correc because AFAIK onle outgoing traffic can be blocked by this feature. HTH.

Regards

0 Kudos