cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6070
Views
0
Helpful
4
Replies

Firepower blocking CnC

Lars Brachlow
Level 1
Level 1

Hello,

We are running an ASA with FirePower and a FMC for management. We are seeing many attempts from external C&C servers to our DMZ hosts which are getting blocked by FP. We are not seeing any attempts from our hosts to any C&C servers. I have been investigating these attempts but am not really getting anywhere so I am wondering if it is really worthwhile seeing as the traffic is being blocked anyways.

Any thoughts if I should be chasing these alerts?

2 Accepted Solutions

Accepted Solutions

Yeah I see that kind of thing often as well on things that have exposed ports. Basically the system is working as intended. I wish it would say more clearly whether it blocked the connection or not. If it is recognized as a C&C connection, it should be blocked but I guess it depends on how you set your policy really.

View solution in original post

lbrachlow1  

You're welcome. Please mark your question as answered if it has been.

View solution in original post

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

C&C server trying to access a DMZ host dopesn't necessarily mean the host is compromised.

If the DMZ servers have public IP addresses assigned, it could simply be scanning attempts from the C&C servers.

I'd just chalk it up as a "win" and move on.

Thanks Jonathan and Marvin. 

I was thinking that things were working as they should but wanted to make sure. 

lbrachlow1  

You're welcome. Please mark your question as answered if it has been.

Yeah I see that kind of thing often as well on things that have exposed ports. Basically the system is working as intended. I wish it would say more clearly whether it blocked the connection or not. If it is recognized as a C&C connection, it should be blocked but I guess it depends on how you set your policy really.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: