Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6413
Views
6
Helpful
3
Replies

The host may be under remote control

Go to solution
enidvallja
Level 1
Level 1

‎10-23-2017 12:08 AM - edited ‎02-21-2020 06:33 AM

Hello,

 

I've had this problem even before where FireSIGHT was indicating this message from a host. I did a full scan to the host with its anti-virus but nothing was captured.

CnC Connected Intrusion Event - malware-cnc

Now I'm seeing this message again from 3 hosts, and one of the hosts is the public DNS (from ISP). I don't know what to do because the option "Scan Host" is not available in my FireSIGHT.

 

Thank you.

Enid.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mikael.lahtela
Level 4
Level 4

‎10-23-2017 02:22 AM - edited ‎10-23-2017 02:36 AM

Hi,

You need to configure an instance of nmap scanner under Policy>Actions>Scanners before you can use "scan" button under host view.

 

Configuration example:

nmap01.jpgnmap02.jpgnmap03.jpgnmap04.jpg


br, Micke

View solution in original post

3 Replies 3

Go to solution
mikael.lahtela
Level 4
Level 4

‎10-23-2017 02:22 AM - edited ‎10-23-2017 02:36 AM

Hi,

You need to configure an instance of nmap scanner under Policy>Actions>Scanners before you can use "scan" button under host view.

 

Configuration example:

nmap01.jpgnmap02.jpgnmap03.jpgnmap04.jpg


br, Micke

Go to solution
enidvallja
Level 1
Level 1
In response to mikael.lahtela

‎10-23-2017 05:20 AM - edited ‎10-23-2017 05:59 AM

Hello Micke,

 

Thank you so much, I found the results of the scanning and I see only the host's ports if they are filtered or opened but not anything about any possible intrusion.

 

Enid.

0 Helpful

Go to solution
mikael.lahtela
Level 4
Level 4
In response to enidvallja

‎10-23-2017 11:08 AM

Hi again,

If you get security event CnC Connected (and Actions is blocked) it doesn't need to be a real threat.
Your client might have just got flagged cause they are surfing on the internet.
I see this alert a lot and most of the times it's just the responding ip/dns that is blacklisted by Talos.
Just do your regular security check on the client:
- check if there is other alerts from same client (host profil).
- check what type of traffic it is, source ports, destination ports, drill-down.
- scan with nmap to see any unnecessary open ports on the client.
- scan the client for virus, malware.
- lookup destination ip whois, talos intelligence.
- if you don't find anything, make a note, clear the client and see if it appears again.

br, Micke
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card