5Oca
ThreatFox alert on Cloudflare IP
On our company network, suricata just raised the following (single) alert:
{
"timestamp": "2024-01-05T12:42:28.511703+0100",
"flow_id": 1276412390854359,
"in_iface": "igb0",
"event_type": "alert",
"src_ip": "10.1.1.13",
"src_port": 53670,
"dest_ip": "188.114.96.3",
"dest_port": 443,
"proto": "TCP",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 91226661,
"rev": 1,
"signature": "ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)",
"category": "A Network Trojan was detected",
"severity": 1,
"source": {
"ip": "188.114.96.3",
"port": 443
},
"target": {
"ip": "10.1.1.13",
"port": 53670
},
"metadata": {
"confidence_level": [
"100"
],
"first_seen": [
"2023_12_31"
]
}
},
"flow": {
"pkts_toserver": 1,
"pkts_toclient": 0,
"bytes_toserver": 66,
"bytes_toclient": 0,
"start": "2024-01-05T12:42:28.511703+0100"
}
}
This is what I was able to find out:
- At the time, the user on PC 10.1.1.13 was surfing the web during lunch break (in private mode, so we don't have a browser history). The destination port is 443, so that alert might have been caused by something loaded by his browser.
- According to whois, 188.114.96.3 is a cloudflare IP.
- I can't find that IP in the ThreadFox database UI (I searched for
ioc:188.114.96.3
).
So while, at a first glance, this looks scary ("botnet C2 traffic ... confidence level: 100%"), I'm tempted to classify this incident as a false positive:
- Cloudflare is a CDN, so it's perfectly possible that the same IP might be used to serve the content of different customers (one of which might have been hacked).
- There are no other alerts or indicators of compromise.
Hence, my questions are:
Q1: Is this assessment reasonable, or should I be more worried?
Q2: Why can't I find the IP address in the ThreadFox database? I can reliably reproduce the suricata alert by trying to access the IP address via https in a browser. The suricata rule is from the abuse.ch.threatfox.rules ruleset (last updated today), and the reference_html URL (https://threatfox.abuse.ch/ioc/1226661/) does not yield useful information.