Hello All,
I was reviewing the intrusion events for PUA-OTHER Cryptocurrency Miner outbound connection attempt (1:46237:1) signature and not sure why the Action on this signature is Would have dropped. Please find further details:
1) FirePower device is in Inline (not TAP mode or Inline Simulation).
2) Confirmed that there is one signature triggered which is SID:46237 for this event.
3) Confirmed that this SID has a rule action of Drop and Generate Events.
4) Based on the rule, the rule is triggered when any traffic from $HOME_NET is going to $EXTERNAL over any ports, hence I confirmed that the source IP ranges are part of the $HOME_NET and $EXTERNAL is set to !$HOME_NET which means, anything other than $HOME_NET is considered as $EXTERNAL.
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER Cryptocurrency Miner outbound connection attempt"; flow:established,to_server; content:"|7B 22|id|22 3A|"; content:"|22|jsonrpc|22 3A|"; content:"|22|method|22 3A 22|login|22 2C 22|params|22 3A 7B 22|login|22 3A|"; content:"|22|pass|22 3A|"; content:"|22|agent|22 3A|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f120/analysis; classtype:policy-violation; sid:46237; rev:1; )
5) What I'm not sure is, why does the packets gets dropped with the Dst. port: 443 but not Dst. port: 80.
6) I also confirmed that the port : 80/TCP is already part of the default object group.
Any other suggestions?