08-11-2010 09:38 AM - edited 03-10-2019 05:05 AM
I am getting several of these from different workstations on my network. I need to find out if this is really a worm outbreak behavior or indeed a false positive. I changed the attacker IP for this post but they are coming from internal IP's on my network.
Attacker Address | Attacker Port | Target Address | Target Port |
10.0.0.1 | 0.0.0.0 | 443 | |
10.0.0.1 | 0.0.0.0 | 443 | |
10.0.0.1 | 0.0.0.0 | 443 | |
10.0.0.1 | 0.0.0.0 | 443 | |
10.0.0.1 | 0.0.0.0 | 443 | |
10.0.0.1 | 0.0.0.0 | 443 | |
10.0.0.2 | 0.0.0.0 | 443 | |
10.0.0.2 | 0.0.0.0 | 443 | |
10.0.0.2 | 0.0.0.0 | 443 | |
10.0.0.2 | 0.0.0.0 | 443 | |
10.0.0.3 | 0.0.0.0 | 80 | |
10.0.0.3 | 0.0.0.0 | 80 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.5 | 0.0.0.0 | 80 | |
10.0.0.5 | 0.0.0.0 | 80 | |
10.0.0.5 | 0.0.0.0 | 80 | |
10.0.0.5 | 0.0.0.0 | 80 | |
10.0.0.6 | 0.0.0.0 | 80 | |
10.0.0.6 | 0.0.0.0 | 80 | |
10.0.0.7 | 0.0.0.0 | 443 | |
10.0.0.7 | 0.0.0.0 | 443 | |
10.0.0.7 | 0.0.0.0 | 443 | |
10.0.0.7 | 0.0.0.0 | 443 | |
10.0.0.8 | 0.0.0.0 | 443 | |
10.0.0.8 | 0.0.0.0 | 443 | |
10.0.0.8 | 0.0.0.0 | 443 | |
10.0.0.8 | 0.0.0.0 | 443 |
Is this really a behavior of a worm outbreak? Or could it be that the "attackers" are establishing web/ssl connection to targets which is unknown or not tagged as internal zone hence by default, the zone of the target is external. As a result, this signature was fired.
Seek advise/views from the domain experts here. TIA.