False positive or not - NSA2650 and Rapid7 SIEM

Cheeseman

Hello

I keep getting alerts from our Rapid7 SIEM (InsightIDR) that look like the below

Account <user> had INBOUND firewall traffic from 71.6.199.23 (tracked in BlockList.DE - WizardCyber.com (Search: WizardCyber.com)) to <serverIP>

3:46:31 PM

Firewall activity was detected from 71.6.199.23:29011 to <serverIP>:8086. Connection status is ACCEPT. Direction is INBOUND.

I have a firewall rule that allows a couple of IP addresses access to port 8086 on that server, if I attempt a port scan or to connect to that port via TELNET from an IP outside of the list I get a connection refused or Port is not open result.

To me this suggests the rule is working as intended and the connection isn't actually accepted and passed through to the internal server, below is the log entry Rapid7 has ingested from the SonicWall.

16 Jul 2021 15:46:32.033{ "timestamp": "2021-07-16T15:46:31.000Z", "asset": "<servername>", "source_address": "71.6.199.23", "source_port": "29011", "destination_address": "<serverIP>", "destination_port": "8086", "direction": "INBOUND", "geoip_city": "Coronado", "geoip_country_code": "US", "geoip_country_name": "United States", "geoip_region": "CA", "source_data": "<134> id=firewall sn=18B169967280 time=\"2021-07-16 16:46:31\" fw=213.249.164.90 pri=6 c=262144 m=98 msg=\"Connection Opened\" app=49349 appName='Service Tivo TCP Data' n=5765142 src=71.6.199.23:29011:X1 dst=<serverIP>:8086:X0 proto=tcp/8086 sent=46 dpi=0 fw_action=\"NA\"" }

Can anyone confirm/deny my thoughts on this?

Cheeseman

Support got in touch with me and explained that this behaviour is normal. See closing comments below.

Problem Description :

query on log messages on firewall

Action/Analysis :

Closed

Impact :

no impact

Data:

Customer is noticing CONNECTION OPEN logs for rules which has DENY action

informed the customer that for every connection made a OPEN log is generated even though traffic would be dropped

Customer acknowledge

Nat

The action is NA, I don't think firewall forwarded the traffic.

You can setup a packet monitor to track the source ip 71.6.199.23, it will be easier for you to understand what action did firewall take.

TKWITS

Have you seen this discussion?

https://community.sonicwall.com/technology-and-support/discussion/2716/stealth-mode-and-connection-opened-in-nsa-3600-event-logs

Cheeseman

https://community.sonicwall.com/technology-and-support/discussion/comment/10439#Comment_10439

I had not seen that discussion... pretty much exactly what I'm asking here, it's a shame they never came back with the results from the support session!

Looks like I'll have to raise a ticket as it doesn't seem to be straightforward.

Thank you.

BWC

@Cheeseman while digging through the Log Reference myself I came across this note:

It is possible for some packets to trigger a Connection Opened, but later be dropped due to policy settings. 

So I guess "some packets" is meant in a broader sense :)

--Michael@BWC

TKWITS

Good to know @BWC