Hey community,
I have a question to you all regarding some suspicious traffic I have noticed for some time now from many various IPs while there is alot of common ground. More details are below:
Log Source: FortiGate
Main event names: Firewall Deny, Firewall Permit
Additional event names: Access List Deny, Ip-conn, Close, Traffic timeout, No matching connection for ICMP
Main services/protocols used: ICMP, tcp/4899, Vidyo_UDP, udp/33435
Additional services/protocols used: MS_SQL_1433, RDP, SMB
Behaviour: Sometimes there are hundreds or thousands of Firewall Deny and/or Firewall Permit events from a single source IP within e.g. a day, a week, a month or 3 months but some other times there are only a few such events within such timeframes. In some very often cases only ICMP and tcp/4899 are being used. However, in some other less often cases more ports/services are being used, such as MS_SQL_1433, RDP and SMB. To a middle extent, Vidyo_UDP and udp/33435 can be noticed. Overall, the traffic is rarely exactly the same but always looks similar. Some source IPs are being blacklisted on IBM X-Force Exchange and Cisco Talos but some others are not.
Questions:
1. How would you approach this problem / What do you suggest?
2. How would you explain all this?
3. Would you block all those IPs?
4. What treshhold (number of such events) would you set for such events to raise a red flag?
I would appreciate your opinion!
Thank you very much in advance and I look forward to hearing back from you.
Regards,
MSSOC
Hey again,
The other additional services/protocols used: SAMBA_TCP, SAMBA_UDP
Could anyone get back to me with some thoughts?
Thank you,
MSSOC
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.