Are these Alerts/Block False Positives?
-
I've been seeing frequent outbound hits from my WAN IP Address:
Class: A Network Trojan was Detected
Description ET INFO Suspicious Mozilla UA with no Space after colon
Destinations are various 54.240.190.* IPs. Reverse Lookup shows they are registered to cloudfront.netI started up Snort on the internal VLAN interfaces but do not see the same traffic passing thru them
After abit of research it appears there is a cloudfront virus but there is also an Amazon affiliate cloudfront.net
Is this a false positive or should I worry?
I'm also see alot of ET POLICY HTTP traffic outbound on port 80 to IPs registered to Akami. Is it safe to supress these as False positives?
-
It's not the answer you want to hear, but you have to make that decision yourself.
When the IDS detects an intrusion, what you do about it is your decision. Generally, I trust my IDS and act on what it reports. If the intrusion can be safely blocked without breaking any services then it stays blocked. If blocking breaks stuff then I usually capture the traffic in wireshark and take my time to check what is actually happening.
If I can't block the intrusion because it is from a provider I will contact their sysadmin. Usually, when evidence is presented to the sysadmin the intrusion stops. If it doesn't stop, chew whoever is insisting on using the provider by letting them know how much it is costing to deal with the provider's bad behaviour and insist on a compensatory discount at contract renewal or change of provider.