• caglararli@hotmail.com
  • 05386281520

ThreatFox alert on Cloudflare IP

Çağlar Arlı      -    18 Views
5Oca

ThreatFox alert on Cloudflare IP

On our company network, suricata just raised the following (single) alert:

{
    "timestamp": "2024-01-05T12:42:28.511703+0100",
    "flow_id": 1276412390854359,
    "in_iface": "igb0",
    "event_type": "alert",
    "src_ip": "10.1.1.13",
    "src_port": 53670,
    "dest_ip": "188.114.96.3",
    "dest_port": 443,
    "proto": "TCP",
    "alert": {
        "action": "allowed",
        "gid": 1,
        "signature_id": 91226661,
        "rev": 1,
        "signature": "ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)",
        "category": "A Network Trojan was detected",
        "severity": 1,
        "source": {
            "ip": "188.114.96.3",
            "port": 443
        },
        "target": {
            "ip": "10.1.1.13",
            "port": 53670
        },
        "metadata": {
            "confidence_level": [
                "100"
            ],
            "first_seen": [
                "2023_12_31"
            ]
        }
    },
    "flow": {
        "pkts_toserver": 1,
        "pkts_toclient": 0,
        "bytes_toserver": 66,
        "bytes_toclient": 0,
        "start": "2024-01-05T12:42:28.511703+0100"
    }
}

This is what I was able to find out:

  1. At the time, the user on PC 10.1.1.13 was surfing the web during lunch break (in private mode, so we don't have a browser history). The destination port is 443, so that alert might have been caused by something loaded by his browser.
  2. According to whois, 188.114.96.3 is a cloudflare IP.
  3. I can't find that IP in the ThreadFox database UI (I searched for ioc:188.114.96.3).

So while, at a first glance, this looks scary ("botnet C2 traffic ... confidence level: 100%"), I'm tempted to classify this incident as a false positive:

  • Cloudflare is a CDN, so it's perfectly possible that the same IP might be used to serve the content of different customers (one of which might have been hacked).
  • There are no other alerts or indicators of compromise.

Hence, my questions are:

Q1: Is this assessment reasonable, or should I be more worried?

Q2: Why can't I find the IP address in the ThreadFox database? I can reliably reproduce the suricata alert by trying to access the IP address via https in a browser. The suricata rule is from the abuse.ch.threatfox.rules ruleset (last updated today), and the reference_html URL (https://threatfox.abuse.ch/ioc/1226661/) does not yield useful information.

Son Yazılar

Son Yorumlar