IPs being flagged as Security Risk - malware
I am seeing a lot of traffic to IPs generating alarms as a security risk (malware). But when I look at these IPs in any online reputation service, the ones I’ve checked are coming back fine (Talos, spamalytics, etc.) and that includes within 30 minutes of the alarm.
How does Firewalla make the determination to flag the IP as malware? I do have Strict mode enabled, but that doesn’t tell me why (or how) Firewalla determined an IP to be associated with malware. Especially when I can’t corroborate the results with independent data.
-
On your first question, we do have private intel feed as well as intel feed from our own systems. Likely this IP is from those sources. (I think we also are integrating a few public sources as well) Since this is not a blocking alarm, it likely this IP is on the border
"Security activity" can be malware, ransomware, crypto jack ... and a few other categories. Ignoring it will be bad.
-
Right - so it’s not possible to mute specific types of “security activity” alarms? Especially given the fact that I’m not able to validate that these are indeed malicious sites with any 3rd part OSINT, even from very reputable sources.
It would be good to be able to do be more focused on the muting of subtypes under a category and if you provided more information on why a particular IP was flagged a certain way especially when no other sources return that same data. I know that these lists rapidly change because of the nature of a lot of these IP address.
I don’t want to mute the alarms, but it seems like a lot of noise right now and if the Signal to Noise ratio gets too far off, then it makes the system less effective.
-
To follow up on my own post, any thought to providing more detail in the alarm on the reason it was alarmed? I’ve never been able to find anything that generated an alarm that, when I investigated, showed up on any publicly available listing (Talos, Google, Zscaler, AlienVault, etc.). So I’d really like to know more specifics on why it was considered a risk. I’m guessing that these are generated from Zeek rules, so it may not be easy to include that sort of information in the feed file. But it makes it hard to really understand what the risk is if I can’t get any more detail. And while I do trust the Firewalla team (I bought 2 of them, after all), the mantra in the security world is “trust but verify”. Maybe having a lookup somewhere online for those with devices that will show the details, similar to how others handle it?
Please sign in to leave a comment.
Comments
6 comments