cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3049
Views
0
Helpful
4
Replies
Highlighted
Beginner

Firepower blocking CnC

Hello,

We are running an ASA with FirePower and a FMC for management. We are seeing many attempts from external C&C servers to our DMZ hosts which are getting blocked by FP. We are not seeing any attempts from our hosts to any C&C servers. I have been investigating these attempts but am not really getting anywhere so I am wondering if it is really worthwhile seeing as the traffic is being blocked anyways.

Any thoughts if I should be chasing these alerts?

2 ACCEPTED SOLUTIONS

Accepted Solutions

Yeah I see that kind of thing

Yeah I see that kind of thing often as well on things that have exposed ports. Basically the system is working as intended. I wish it would say more clearly whether it blocked the connection or not. If it is recognized as a C&C connection, it should be blocked but I guess it depends on how you set your policy really.

View solution in original post

Highlighted
Hall of Fame Guru

@Lars Brachlow  

lbrachlow1  

You're welcome. Please mark your question as answered if it has been.

View solution in original post

4 REPLIES 4
Highlighted
Hall of Fame Guru

C&C server trying to access a

C&C server trying to access a DMZ host dopesn't necessarily mean the host is compromised.

If the DMZ servers have public IP addresses assigned, it could simply be scanning attempts from the C&C servers.

I'd just chalk it up as a "win" and move on.

Highlighted
Beginner

Thanks Jonathan and Marvin. 

Thanks Jonathan and Marvin. 

I was thinking that things were working as they should but wanted to make sure. 

Highlighted
Hall of Fame Guru

@Lars Brachlow  

lbrachlow1  

You're welcome. Please mark your question as answered if it has been.

View solution in original post

Yeah I see that kind of thing

Yeah I see that kind of thing often as well on things that have exposed ports. Basically the system is working as intended. I wish it would say more clearly whether it blocked the connection or not. If it is recognized as a C&C connection, it should be blocked but I guess it depends on how you set your policy really.

View solution in original post

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here