04-19-2017 07:07 AM
Hello,
We are running an ASA with FirePower and a FMC for management. We are seeing many attempts from external C&C servers to our DMZ hosts which are getting blocked by FP. We are not seeing any attempts from our hosts to any C&C servers. I have been investigating these attempts but am not really getting anywhere so I am wondering if it is really worthwhile seeing as the traffic is being blocked anyways.
Any thoughts if I should be chasing these alerts?
Solved! Go to Solution.
04-24-2017 08:53 AM
Yeah I see that kind of thing often as well on things that have exposed ports. Basically the system is working as intended. I wish it would say more clearly whether it blocked the connection or not. If it is recognized as a C&C connection, it should be blocked but I guess it depends on how you set your policy really.
04-24-2017 05:27 PM
You're welcome. Please mark your question as answered if it has been.
04-20-2017 01:43 AM
C&C server trying to access a DMZ host dopesn't necessarily mean the host is compromised.
If the DMZ servers have public IP addresses assigned, it could simply be scanning attempts from the C&C servers.
I'd just chalk it up as a "win" and move on.
04-24-2017 09:05 AM
Thanks Jonathan and Marvin.
I was thinking that things were working as they should but wanted to make sure.
04-24-2017 05:27 PM
You're welcome. Please mark your question as answered if it has been.
04-24-2017 08:53 AM
Yeah I see that kind of thing often as well on things that have exposed ports. Basically the system is working as intended. I wish it would say more clearly whether it blocked the connection or not. If it is recognized as a C&C connection, it should be blocked but I guess it depends on how you set your policy really.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide