cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1760
Views
0
Helpful
2
Replies

Stealthwatch SLIC Issue-Question

reheindel
Level 1
Level 1

Things appeared to go sideways yesterday (02/10) with regard to the data in the SLIC feed - as we received 40+ alerts of C&C activity as users were browsing to www.google.com - the destination IPs were what is expected for Google

 

The destination C&C server group in question was Azorult

 

Today it seems to have returned to normal

 

Couple of questions:

 

I'm looking for a way to query the IP addresses in a given SLIC feel host group

 

Curious if anybody else saw similar behavior


Thanks,
Bob

2 Replies 2

kyoshiik
Cisco Employee
Cisco Employee

We have no option to look IP in the SLIC database. This data is OEMed and they don't give permission to do it.

 

Recently there are many cloud-based hosted services like Google Cloud, AWS and so on. If one of the public hosted IP is infected malware and become a one of botnet, SLIC will add the IP in the list. In another case, our vendor's honey pod finds attacks that has a crafted source IP same as Google-owned and adds it to the list.

If you find this kind of issue, please contact TAC and they can escalate it to OEM vendor to resolve it.

 

In your case, probably the vendor gets a support request from someone who owns/runs the IP and fix it. Security Intelligence is based on mutual cooperation, so customer feedback is important to the accurate database maintain.

FloKo
Level 1
Level 1

We have experienced similar cases several times, mostly associated with Azorult and Smokeloader.
As was stated above, I also think this will probably happen bcause Google or other service providers have malware hosted on one server and this IP gets flagged as C&C server which triggers the events for normal google traffic.

As far as I know, Cisco is working on a migration for the security intelligence feed to TALOS, so I guess we can expect a change for this behaviour in the future.