cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3476
Views
0
Helpful
1
Replies

Analysis help needed

anders.akamai
Level 1
Level 1

Hi,

We have a security event that says that a trojan has tried to make a outbound connection attempt. What confuses me is that the source is an external IP-address and the source is our IP-address. If its an outbound attempt then the traffic should be the other way around?

Security event:

[1:37215:1] "MALWARE-CNC Win.Trojan.Pmabot outbound connection attempt" [Impact: Vulnerable] From "NAME_OF_OUR_FIREWALL" at Thu Aug 11 21:59:31 2016 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {tcp} EXTERNAL_IP-ADDRESS:48242 (canada)->OUR_IP-ADDRESS:80 (OUR_COUNTRY)

Should we worry that we have an infected host?

Best regards,

Anders

1 Reply 1

Jetsy Mathew
Cisco Employee
Cisco Employee

Hello Anders,

Make sure that the SRU is on the latest version.

If you are receiving alerts like this , we need to verify the packet capture for this intrusion events.

You should collect packet download from Analysis > intrusion events > Select the respective intrusion event >Download packet .

Collect the capture and open a service request with TAC to analyze the same.

Regards

Jetsy 

Review Cisco Networking for a $25 gift card