cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
662
Views
0
Helpful
1
Replies

Detection Link-local on stealthwatch

hi all,

 

recently, i am monitoring traffic on stealthwatch and i found an ip link-local within. stealthwatch detected that is coming from inside network and it showed behavior like scanning tcp and SMB for file sharing to outside host and inside host. this ip have a connection to another outside ip bogon. please help me to investigate and determine what is this ip do ? 

 

below here i attach pict of the event.

 

thx.

Everyone's tags (1)
1 REPLY 1
Highlighted
Cisco Employee

Re: Detection Link-local on stealthwatch

OK.  Lots going on here.

 

You have defined two host groups: Link Local and Bogon Subnets

 

The inside IP 169.254.162.200 appears in both of those host groups.

 

You are seeing 4 different alarms:  High SMB Peers, New Flows, Max flows, and Connect to Bogon.

 

The 'New Flows' should not normally be an issue.  It just means a new device has started connecting over the network.

 

The 'Max flows' could be an issue.  It means that you have a baseline set and that the source IP host is exceeding that baseline.  That could be a start up issue with a new deployment (and ignored) OR it could mean that host is suddenly very active and should be investigated.

 

You have a 'High SMB Peers' alarm.  That's the same as above.  The baseline on a new install could be low.  That could go away over the next days or weeks.  In the meantime investigate what that host is doing.

 

The 'Connect to Bogon' means that some inside host is connecting to an external (outside) IP that has been identified as a Bogon.  Bogon's are IP addresses that either should not or do not exist in public IP address space.  That could be something that is built into a security event in your local SW or it could be coming from the Threat Intel feed or the Cognitive Threat Analytics.  I don't know which you have configured. 

 

In general you should investigate these Bogon connections and consider adding ACLs to either your Internet router or your Firewall to block those connections.

 

Hope this helps.

 

Brian