Hey community,

I have a question to you all regarding some suspicious traffic I have noticed for some time now from many various IPs while there is alot of common ground. More details are below:

Log Source: FortiGate

Main event names: Firewall Deny, Firewall Permit

Additional event names: Access List Deny, Ip-conn, Close, Traffic timeout, No matching connection for ICMP

Main services/protocols used: ICMP, tcp/4899, Vidyo_UDP, udp/33435

Additional services/protocols used: MS_SQL_1433, RDP, SMB

Behaviour: Sometimes there are hundreds or thousands of Firewall Deny and/or Firewall Permit events from a single source IP within e.g. a day, a week, a month or 3 months but some other times there are only a few such events within such timeframes. In some very often cases only ICMP and tcp/4899 are being used. However, in some other less often cases more ports/services are being used, such as MS_SQL_1433, RDP and SMB. To a middle extent, Vidyo_UDP and udp/33435 can be noticed. Overall, the traffic is rarely exactly the same but always looks similar. Some source IPs are being blacklisted on IBM X-Force Exchange and Cisco Talos but some others are not.

Questions:

1. How would you approach this problem / What do you suggest?

2. How would you explain all this?

3. Would you block all those IPs?

4. What treshhold (number of such events) would you set for such events to raise a red flag?

I would appreciate your opinion!

Thank you very much in advance and I look forward to hearing back from you.

Regards,

MSSOC