Analysis help needed

anders.akamai — Mon, 15 Aug 2016 07:12:55 GMT

Hi,

We have a security event that says that a trojan has tried to make a outbound connection attempt. What confuses me is that the source is an external IP-address and the source is our IP-address. If its an outbound attempt then the traffic should be the other way around?

Security event:

[1:37215:1] "MALWARE-CNC Win.Trojan.Pmabot outbound connection attempt" [Impact: Vulnerable] From "NAME_OF_OUR_FIREWALL" at Thu Aug 11 21:59:31 2016 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {tcp} EXTERNAL_IP-ADDRESS:48242 (canada)->OUR_IP-ADDRESS:80 (OUR_COUNTRY)

Should we worry that we have an infected host?

Best regards,

Anders

Hello Anders,

Jetsy Mathew — Mon, 15 Aug 2016 07:33:21 GMT

Hello Anders,

Make sure that the SRU is on the latest version.

If you are receiving alerts like this , we need to verify the packet capture for this intrusion events.

You should collect packet download from Analysis > intrusion events > Select the respective intrusion event >Download packet .

Collect the capture and open a service request with TAC to analyze the same.

Regards

Jetsy

topic Hello Anders, in Network Security

Analysis help needed

Hello Anders,