04-19-2017 07:07 AM
Hello,
We are running an ASA with FirePower and a FMC for management. We are seeing many attempts from external C&C servers to our DMZ hosts which are getting blocked by FP. We are not seeing any attempts from our hosts to any C&C servers. I have been investigating these attempts but am not really getting anywhere so I am wondering if it is really worthwhile seeing as the traffic is being blocked anyways.
Any thoughts if I should be chasing these alerts?
Solved! Go to Solution.
04-24-2017 08:53 AM
Yeah I see that kind of thing often as well on things that have exposed ports. Basically the system is working as intended. I wish it would say more clearly whether it blocked the connection or not. If it is recognized as a C&C connection, it should be blocked but I guess it depends on how you set your policy really.
04-24-2017 05:27 PM
You're welcome. Please mark your question as answered if it has been.
04-20-2017 01:43 AM
C&C server trying to access a DMZ host dopesn't necessarily mean the host is compromised.
If the DMZ servers have public IP addresses assigned, it could simply be scanning attempts from the C&C servers.
I'd just chalk it up as a "win" and move on.
04-24-2017 09:05 AM
Thanks Jonathan and Marvin.
I was thinking that things were working as they should but wanted to make sure.
04-24-2017 05:27 PM
You're welcome. Please mark your question as answered if it has been.
04-24-2017 08:53 AM
Yeah I see that kind of thing often as well on things that have exposed ports. Basically the system is working as intended. I wish it would say more clearly whether it blocked the connection or not. If it is recognized as a C&C connection, it should be blocked but I guess it depends on how you set your policy really.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: