topic Yeah I see that kind of thing in Network Security

Firepower blocking CnC

Lars Brachlow — Wed, 19 Apr 2017 14:07:16 GMT

Hello,

We are running an ASA with FirePower and a FMC for management. We are seeing many attempts from external C&C servers to our DMZ hosts which are getting blocked by FP. We are not seeing any attempts from our hosts to any C&C servers. I have been investigating these attempts but am not really getting anywhere so I am wondering if it is really worthwhile seeing as the traffic is being blocked anyways.

Any thoughts if I should be chasing these alerts?

C&C server trying to access a

Marvin Rhoads — Thu, 20 Apr 2017 08:43:21 GMT

C&C server trying to access a DMZ host dopesn't necessarily mean the host is compromised.

If the DMZ servers have public IP addresses assigned, it could simply be scanning attempts from the C&C servers.

I'd just chalk it up as a "win" and move on.

Yeah I see that kind of thing

Jonathan Bayless — Mon, 24 Apr 2017 15:53:14 GMT

Yeah I see that kind of thing often as well on things that have exposed ports. Basically the system is working as intended. I wish it would say more clearly whether it blocked the connection or not. If it is recognized as a C&C connection, it should be blocked but I guess it depends on how you set your policy really.

Thanks Jonathan and Marvin.

Lars Brachlow — Mon, 24 Apr 2017 16:05:22 GMT

Thanks Jonathan and Marvin.

I was thinking that things were working as they should but wanted to make sure.

@Lars Brachlow

Marvin Rhoads — Tue, 25 Apr 2017 00:27:18 GMT

lbrachlow1

You're welcome. Please mark your question as answered if it has been.