ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
397
Views
0
Helpful
1
Replies
Highlighted
Beginner

Stealthwatch SLIC Issue-Question

Things appeared to go sideways yesterday (02/10) with regard to the data in the SLIC feed - as we received 40+ alerts of C&C activity as users were browsing to www.google.com - the destination IPs were what is expected for Google

 

The destination C&C server group in question was Azorult

 

Today it seems to have returned to normal

 

Couple of questions:

 

I'm looking for a way to query the IP addresses in a given SLIC feel host group

 

Curious if anybody else saw similar behavior


Thanks,
Bob

Everyone's tags (2)
1 REPLY 1
Highlighted
Cisco Employee

Re: Stealthwatch SLIC Issue-Question

We have no option to look IP in the SLIC database. This data is OEMed and they don't give permission to do it.

 

Recently there are many cloud-based hosted services like Google Cloud, AWS and so on. If one of the public hosted IP is infected malware and become a one of botnet, SLIC will add the IP in the list. In another case, our vendor's honey pod finds attacks that has a crafted source IP same as Google-owned and adds it to the list.

If you find this kind of issue, please contact TAC and they can escalate it to OEM vendor to resolve it.

 

In your case, probably the vendor gets a support request from someone who owns/runs the IP and fix it. Security Intelligence is based on mutual cooperation, so customer feedback is important to the accurate database maintain.