We continue with the company EvilCorp, one of the servers of the finance network which despite having no symptoms of being committed makes certain suspicious connections.
Within the department there is a server (IP 33) that communicates with China, the traffic with that country is restricted by GeoIP and is identified as blacklisted.
This time, it ends up being a false positive, after a forensic investigation by the IT cybersecurity department of the company, which reflects that one of the indicators of compromise is the process that attempts to make connections to China is the process itself to update the system, which connects to a repository that is located in China and the other IoC belongs to DNS requests to a public Google server.
Viewing in redBorder Platform
It is identified within Intrusion by the signature "reputation: Packet is blacklisted"
At the same time as in the previous case, we can see that he has made the rules of Snort jump by entering the RAW mode and clicking on the right button of each rule and then on the information button that he creates to see the event.