All,
Can anybody here assist me with outbound traffic events. (from a small number of our internal hosts to the internet)
Event: SSL.RSA.Temporary.Key.Security.Bypass
Additional information: http://www.fortinet.com/ids/VID40207
Since a few months a fairly small number of machines generate an awful lot outbound events to specific IP addresses.
We are pretty confident this is not something to be worried about as we have leveraged additional tools to investigate our internal hosts. Still very interested what this can be related to.
As a reference point, in the month of January 3 hosts generated 40825 events.
Following IP addresses are noted for these 3 hosts as the Destination address they are communicating with. (AT&T addresses belonging to CerfNet)
12.130.55.203: 14928 events
12.130.55.186: 5279 events
12.130.55.56: 10519 events
12.130.55.172: 3346 events
12.130.55.187: 3386 events
206.19.56.155: 3347 events
Anybody any idea?
R
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I get the alert from a program called ATT Connect. It is a Webex type program that AT&T uses for their teleconferences that auto-starts and runs in the background on PCs. It does some communication in the background every few minutes to generate the alerts.
I have not figured out how to get rid of the alert other than shutting off the program.
Same thing here but with IP 12.130.142.57. Nothing w/ virus total. i'm considering scanning for vuls using metaspolit.
Only happening on one single machine, many times a hour.
1 09:46:13 FGT90D3Z140xxxxx deny 192.168.x.x 12.130.142.57 SSL_SSLv2 HTTPS block APP1IPS1 SSL.RSA.Temporary.Key.Security.Bypass
I get the alert from a program called ATT Connect. It is a Webex type program that AT&T uses for their teleconferences that auto-starts and runs in the background on PCs. It does some communication in the background every few minutes to generate the alerts.
I have not figured out how to get rid of the alert other than shutting off the program.
Thanks!
I am in process of confirming this information and it looks to be indeed the root cause for this traffic.
Interesting on our side is that we use AT&T's managed service for IDS/IPS.
I will open a case with them to investigate their own software.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.