I am getting several of these from different workstations on my network. I need to find out if this is really a worm outbreak behavior or indeed a false positive. I changed the attacker IP for this post but they are coming from internal IP's on my network.
Attacker Address | Attacker Port | Target Address | Target Port |
10.0.0.1 | | 0.0.0.0 | 443 |
10.0.0.1 | | 0.0.0.0 | 443 |
10.0.0.1 | | 0.0.0.0 | 443 |
10.0.0.1 | | 0.0.0.0 | 443 |
10.0.0.1 | | 0.0.0.0 | 443 |
10.0.0.1 | | 0.0.0.0 | 443 |
10.0.0.2 | | 0.0.0.0 | 443 |
10.0.0.2 | | 0.0.0.0 | 443 |
10.0.0.2 | | 0.0.0.0 | 443 |
10.0.0.2 | | 0.0.0.0 | 443 |
10.0.0.3 | | 0.0.0.0 | 80 |
10.0.0.3 | | 0.0.0.0 | 80 |
10.0.0.4 | | 0.0.0.0 | 443 |
10.0.0.4 | | 0.0.0.0 | 443 |
10.0.0.4 | | 0.0.0.0 | 443 |
10.0.0.4 | | 0.0.0.0 | 443 |
10.0.0.4 | | 0.0.0.0 | 443 |
10.0.0.4 | | 0.0.0.0 | 443 |
10.0.0.4 | | 0.0.0.0 | 443 |
10.0.0.4 | | 0.0.0.0 | 443 |
10.0.0.5 | | 0.0.0.0 | 80 |
10.0.0.5 | | 0.0.0.0 | 80 |
10.0.0.5 | | 0.0.0.0 | 80 |
10.0.0.5 | | 0.0.0.0 | 80 |
10.0.0.6 | | 0.0.0.0 | 80 |
10.0.0.6 | | 0.0.0.0 | 80 |
10.0.0.7 | | 0.0.0.0 | 443 |
10.0.0.7 | | 0.0.0.0 | 443 |
10.0.0.7 | | 0.0.0.0 | 443 |
10.0.0.7 | | 0.0.0.0 | 443 |
10.0.0.8 | | 0.0.0.0 | 443 |
10.0.0.8 | | 0.0.0.0 | 443 |
10.0.0.8 | | 0.0.0.0 | 443 |
10.0.0.8 | | 0.0.0.0 | 443 |
Is this really a behavior of a worm outbreak? Or could it be that the "attackers" are establishing web/ssl connection to targets which is unknown or not tagged as internal zone hence by default, the zone of the target is external. As a result, this signature was fired.
Seek advise/views from the domain experts here. TIA.
