Attempt of outgoing connection of MALWARE-CNC Win.Trojan.Pmabot etc...

From time to time I get alerts such as the one above, there are others. These Holy typiically on a guest Wifi network I run.

In my ACP (Position 3), I have an input allowing the application of DNS of my DMZ (area Wifi comments) outside my ASA. Other rules below match policy HTTP/HTTPS, etc. The default rule (last position) in countries ACP is a IPS active file policy, defined on allow traffic.

I activated the config of the global block list in the settings of the CPA under the tab Security Intelligence & I changed DNS setting to include a blacklist of sites DNS that Taos record as a suspect.

To block the DNS entries that precedes, it is just a case of removing the request for DNS entry (Position 3) in ACP countries and change my default rule (last place) permit on refuse to ensure that DNS traffic is blocked suspected sites. Or by doing this, I am in danger of blocking other types of traffic.

I just want to allow HTTP, this HTTPS and DNS traffic, but with the latter to the destinations of confidence. During the research that trigger alerts above and others, I want to drop these if the DNS is blocked.

Concerning

Darren

Hello team,

First of all, make sure that you are in the latest version of the SRU in the device.

By chance you run PHPMyAdmin in the device? Also check what are the variables for the HOME_NET and EXTERNAL_NET variables?

If you think about it as a false positive alert, then provide as a result of the TACs in order to check if it is a false positive or an alert valid due to a problem.

1 package corresponding to the rule:

-Connect to the Web from DC interface

-Go to "Analysis" > "Intrusions" > "Events" > Change Workflow for 'Table View of Events' > select the corresponding alert > click on 'download package '.

-You should get a ZIP file that contains a capture of packets in PCAP format.

-Send the ZIP file to TAC team and request an analysis.

Note If the post will help you

Concerning

Jetsy

Tags: Cisco Security

Similar Questions

  • What means "Blacklist DNS reverse response searching for known malware domain spheral.ru - Win.Trojan.Glupteba (1:31600)"?

    I have a Cisco ASA5516x w / firepower with an IPS license installed and I'm trying to determine what means this Impact 1 alert:

    Reverse DNS BLACK list response searching for known malware domain spheral.ru - Win.Trojan.Glupteba (1:31600)

    The source looks like it's coming from DNS servers on the internet:

    208.67.220.220

    208.67.222.222

    4.2.2.6

    204.117.214.10

    The destination is our domain controllers that are configured to be our DNS servers. I'm just trying to understand what really means this alert? The classification is "a network Trojan has been detected", but this means that a user attempted to solve an to a site that has been reported as malicious DNS record, or they have malicious software on their PC that is trying to connect to a server command & control out in the wild? To be clear, the penetration of these alerts are outside interface and evacuation is our inside interface. If someone can provide a clear explanation for these alerts, it would be greatly appreciated. Thank you!

    Hello

    This does not necessarily mean that the PC or the DC are infected. This rule is for a reverse DNS lookup.

    With the source and the destination, it could just be a package that is the reverse DNS lookup query response. Now, why this request is sent in the first place is a question and a value of the investigation.

    flow: to_client; content: "|" 07. spheral | 02. ru | 00 | » ; fast_pattern: only;

    Download the capture of packages in the case of the rule, you can check and verify the IP address that is resolved to spheral.ru and then identify what PC initiated the request.

    Sometimes, it could be an AV product or security, try to reverse search DNS for an IP address of the suspect.

    Rate if helps.

    Yogesh

  • Through Windows Firewall ' do an outgoing connection on Port 21 '

    "How an outgoing connection on Port 21". I'm trying to update a web 'edition' - site.and there comes to expression, they used to help me solve my problem.  All information and data is OK on their end apparently

    Hello

    Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the public on the TechNet site. Please post your question in the below link:

    http://social.technet.Microsoft.com/forums/en/itproxpsp/threads

  • "Now attempt to network connection.

    I need HELP... I have a Hp Photosmart Premium e-All-In-One C310a. That is the problem. (Internet) cable was disconnected, now upward, can not get the printer to connect. Everything worked fine before. As he tried to connect, it was stated that I didn't have the correct driver for the printer... so, tried to download. Also, tried original disc. No matter what I I get the error "INVALID KEY in SPECIFIED STATE... error 1603.

    After frustration, I noticed that I was also getting a message from the operating system that is not compatible. Investigations of THIS, the download gives to hear that I have Windows XP, I have NOT. I am running windows 7 64 bit with internet explore 11.

    So, how do around that? Everyone?

    I can connect to my router, but after I connected on my network, it's where it stops with "now attempt to network connection.

    I've been playing with this for days now. ANY help will be appreciated.

    Try it all wireless, but have you tried USB

    Hi orkaydland thanks for the reply!

    I would recommend a SFC scan currently running on your computer.  Once the completed scan, run the Adobe software. Update I'm linking documents below:

    Use the System File Checker tool to repair missing or corrupted system files

    Adobe updates

    You also need to restart the print spooler:

  • hp7510 connected by USB for Win 7, "printer failure, 0xc19a0028.» "Stop, then press.

    When I turn the hp7510 installed yesterday, connected by USB for Win 7, I get "printer failure, 0xc19a0028.» "Stop, then press. Same error 6 times. How to fix?

    I turned on the printer, ignored the advice of "The printer failed" message to turn off, then on again. Then, with the sill of printer on, I reinstalled all the ink cartridges. The printer worked.

  • Computer laptop Windows 8 does not properly connect to 8.1 Win mobile wifi hotspot - connection indicated as 'Limited' (no internet connection)

    Hello

    None of our laptops Win 8 appear to be able to connect to a wifi hotspot (internet sharing enabled, and apart from the wifi on the handset) provided by our Win mobile (Nokia Lumia 635) 8.1, there seems to be a connection between the phone and the laptop, but it is presented as 'Limited' (no internet connection).

    Same phones can provide the internet connection through the internet even setting for laptops Windows 7 without any problem of sharing.

    What additional settings are there to win 8 laptops that require an adjustment?

    Thank you!

    Hi Susanna,.

    Welcome to the Microsoft Community Forum.

    I understand that you are unable to connect your laptop 8 Win to Wi - Fi hotspot. I appreciate your efforts to solve this problem, I'll probably help you with that.

    Check the following Microsoft Help article and if you have activated inhalers of Internet connection on your computer, it will lead to problems of this kind.

    http://Windows.Microsoft.com/en-us/Windows-8/metered-Internet-connections-FAQ

    If the problem persists, try the procedure described in the following Microsoft Help article and then check if it helps.

    http://Windows.Microsoft.com/en-us/Windows/network-connection-problem-help#network-problems=Windows-81&V1H=win81tab1&V2H=win7tab1&V3H=winvistatab1&v4h=winxptab1

    See also the following Microsoft Help article.

    http://Windows.Microsoft.com/en-us/Windows/cant-connect-Internet#1TC=Windows-8

    Hope this helps, please get back to us for additional help on Windows. We will be happy to help you.

    Thank you.

  • Filter outgoing connections Weblogic

    Hello

    I would like to configure Weblogic 10 to filter outgoing connections. Specifically, I would like to define some hosts/IPs which should not be invoked by all deployed application.

    I read everything on the network (https://docs.oracle.com/cd/E14571_01/web.1111/e13711/con_filtr.htm#SCPRG377) connection filtering, but it seems to me that the filtering applies only to incoming connections. Am I right about that?

    If filtering of network connections cannot resolve my requirement, is there another alternative?

    Thank you!

    Alex, I think you need to fix your problem by using Firewall (for example, Linux: iptables).

  • Satellite P850 - no internet connection to help to win 8

    Can someone help me?
    I have just upgraded to Windows 8 on my Satellite P850 and now, according to what I'm trying to do, it is sometimes said that there is no Internet connection.

    I certainly link strong, because it works very well in the new application of Internet Explorer, Norton 360 and Windows itself. But it won't work in other things on the desktop, such as iTunes, the Toshiba Upgrade Wizard, Internet Explorer on the desktop, Safari etc.

    Why is this? Of course the most important thing is the Toshiba Upgrade Wizard, but that's not very far because she needs an Internet connection.

    Please help as soon as POSSIBLE. If you need additional information, let me know.

    Hello

    This happen using LAN or WLan?
    If you have problems with internet using WiFi, I recommend that you check the connection to the local network.

    In addition, you must make sure that your software installed and other affect t tools don with that 8 to win in some cases it could be a problem software that are not compatible with Win 8 preinstalled.

    I also see that you have Norton installed check if installed security tools don t affect the internet connection!

  • HP wireless tv connect - rarely a laptop Win 8 links

    I have no trouble to connect my laptop Win 7 or Android tablet to an HDTV using the HP Wireless Connect device.

    Connection occurs very quickly.

    But I have a lot of trouble trying to get my laptop Win 8.1 link to the TV. It comes me repeat it is the link, but it is not a link. Now and then, in retarting or reconnect, I get connection but it's sporadic.

    Any suggestions?

    Ian

    Ramvoo users on the Windows 8 Forum has found a way to make the work of HP. I used his approach with my Windows 8.1 system and it does not work with either of my SAMSUNG HD TVs.

    It is clearly of a workaround but here go us:

    1. go on devices and printers in Control Panel

    2. in the unspecified section, double-click the HP icon wireless transmitter

    3. click the Hardware tab, click device defined compatible provider HID, then properties

    4. in the section of the general tab, click on change settings

    5. in the driver section, click on disable. You will receive a message of global warming. Answer Yes.

    HP will now be flagged as disabled. Fine. But it will now work.

    When you select later where the project office, use the combination of keys Fn + F8 and choose either expanded or second screen only. Duplicate does not work.

  • Cannot set a network printer on an XP pc. Printer is connected to a pc win 7. PC are connected trough a Vdsl router

    3 PC connected to the internet via a vdsl router, wireless and lan connections.

    All PCs can get to internet.

    a XP pc is unable to set up the connection to a printer connected to the WIN 7 pc.

    The XP pc cannot connect to the shared files on pc win 7 hand.

    The xp pc cannot display other PCs on the network

    HY

    Please try this one...

    1. go to 'printers '.
    2. click on "add a printer".
    3 Add a local printer.
    4. "create a new Port.
    5. use the "Local Port" option
    6. on "Enter a Port name" enter: "\\Computername\Printername".

    Please confirm after that...

  • Windows 7 homegroup starter tries to connect to the other win 7 homegroup not working does not as expected

    I have two samsung n140 NetBook, both come with Windows 7 starter, I try to get things homegroup networking.

    I have set up with the default values at the same time to share the photo, video files etc under homegroup sharing.

    He was asked to create a password for homegoup I did it (could have come because I have a NetBook connected initially to a pc running win 7 ultimate, which is where I created a homegroup password but this pc is no longer connected to the network, it's just two samsung netbooks)

    in any case when I connected this other netbook with the first he asked me the homegroup password that was entered successfully by me. However, nothing has been free since. These two netbooks running win7 are the only PCs in my home group.

    Ive managed to get to a point where in the record of the house band that netbook names are displayed in eachothers homegroup however is listed in network for the group shares residential eachother trying to access the network.

    Can I cannect for both computers on the network in the way outdated by sharing folders and access the network folder in my network places and can read and write, but not in the home group.

    Homegroup is where I want to control networking not by any other means, I would be very grateful if someone can point me in the right direction please or if its win 7 starter limit myself from network access to the homegroup.

    Thank you very much

    Hey fatfei,

    Welcome to the Microsoft Answers site.

    I want to erase some of the basics of networking in Windows 7 Starter edition.

    You cannot create a homegroup to a computer running Windows 7 Starter Edition. You can reach only a HomeGroup existing of the starter edition.
    This must be one of the restrictions placed on you while trying to connect the two starter edition of Windows 7 homegroup.

    So the only option left out here is upgraded to another version of Windows 7 that supports creating HomeGroup via Windows Anytime Upgrade or stick to the way they are connected at present.

    For more information, please read this article.

    Networking in Windows 7 Starter
    http://Windows.Microsoft.com/en-us/Windows7/networking-in-Windows-7-Starter

    Homegroup: frequently asked questions
    http://Windows.Microsoft.com/en-us/Windows7/HomeGroup-frequently-asked-questions

    Kind regards

    Shinmila H - Microsoft Support

    Visit our Microsoft answers feedback Forum and let us know what you think.

  • What is the number of attempts to "Auto-connect" in MSDS.

    Hello

    I would like to know, how many times a TMS would attempt a point of termination/MCU while trying to send shout information - before you say

    'Allocate failed, the Conference is not automatically connected.

    The type of conference is auto connect

    Automatic connection: Cisco TMS will automatically connect participants to the date and time specified.

    Hello

    Seems more like a first try and then try to re 3-tent after the initial report and it seems to be the same for the CHT and the MCU.

    So 1 initial attempts + 3 before it says it can not it automatically connect.

    / Magnus

  • Problem connecting Remote web workplace Win 8

    I upgraded to Win 8 on my PC at home. Now, I can't connet to the win 7 PC to work. I get to the screen where I choose the PC to connect to and then nothing happens. I can connect without problems to my Win 7 computer laptop. Help, please. Thanx. David.

    I have it exactly the same problem.  When I arrived at the point of "Connect to my computer at work" I just get a blank page.  I use a laptop computer brand new Windows 8.  Our old Windows 7 based laptop works without any problem.

    In this old configuration, I had to activate ActiveX controls to operate at the beginning... I checked these same setting are in place on the new machine of Windows 8 and they are.

    PS - the two links you provided do not work.

  • Need Internet connect help: Fusion 6, win 8

    I used 5 Fusion and had invited Windows/XP SP3 works very well. I made a copy of this virtual host and a suggestion on the VMWARE KB, I said merge that I "moved" the prompt when I started a new-, he asked if I moved or copied. He came very well and, as the guest, it has been copied since, connection Internet (NAT) has functioned well. So, I went to the Microsoft website and stayed at my $120 for a license for Windows 8. Downloaded and installed on the top of this cloned Win/XP guest. When he started upward, he told me that there is no Internet connection. I activated the license Win 8 by phone. Restarted the guest to win 8 and still no Internet connection. I changed the type of operating system Windows 8 and tried again. Same result - no Internet connection. Changed to 64-bit Windows 8. The same problem. My iMac is OS x 10.7.5.

    What the hell do I need to do to get this ^ & % $$ Windows OS to get an Internet connection?

    Thanks, Jim

    Folsom, CA

    Yes it's a kind of a clean install, not the type I'd do, but you don't listen to what I said earlier about the differences between virtual equipment of the differences between the two different operating systems.  In any case, information related to my first answer covering only the network problem so do as you wish.   Also, I can't directly answer how to create installation as I previous comments made referring to the only way that I have personally installed Windows 8... so Google is your friend on how to create a Setup program if previously linked information is not sufficient.

  • Portege Z30 - A - 13 H - problem connecting to 3 / 4g, WIN 7

    Hello.

    I bought a laptop a week ago and was never able to use the 3 g connection.
    Toshiba WIRELESS MANAGER says "device Mobile Broadband is not communicate." I tried to reinstall the driver (using the last one), used 3 different Sims - the same problem.

    Any ideas to solve?

    Thank you.

    Hello

    I think you should first check whether this function is tunred on.
    Wimax/wan wireless indicator lights up blue when the wan/wimax wireless functions are enabled.
    Wimax/wan indicator wireless is the first LED on the right, the second on the right should be the WLan led.

    The function FN + F8 key activates the Wlan / WAN on and outside
    Check it!

    Please also read this technical document from Toshiba:

    * How can I set up and establish a 3G connection via the Manager preinstalled Toshiba wireless? *
    http://APS2.toshiba-tro.de/KB0/FAQ1A037W0000R01.htm

Maybe you are looking for

  • The Toshiba 24W33B has a video output connection?

    I want to know if there is any way to connect this tv so that it generates video from another cable SCART to my dvd recorder.

  • doveadm process continuous nutso

    I am running 5.015 server and the computer on which it is running has got to be very slow there are a few software updates.  I looked in the Console and found the following in newspapers - happening several times every second and the activity monitor

  • No device boot-able on Satellite C50-A0413

    I just bought a new hard drive to upgrade my Toshiba laptop and I get a no boot system device. I opened my configuration utility to configure to recognize my drive. Is gone to secure boot security and people with disabilities, but now I can't find th

  • Is it possible to move the plug-in software component microphone to a subwoofer on Sat A100 exit?

    Hello I bought myself the A100-774 a few days ago. Today, I tried to install my surround sound system, but I can only use the frontspeakers without subwoofer! With my old laptop that I had the ability to switch the microphone - in Sub-out I can use m

  • invoke the node (screw in a parallel work library)

    Hi all I'm evaluating a temperature probe. For this I must watch the thermocouple readings. Thermocouple is attached to the FP-TC-120 of temperature module. Moreover, I have to acquire data from the optical spectrum analyzer. I use 3650.VI to monitor