Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

False positive or not - NSA2650 and Rapid7 SIEM

Hello

I keep getting alerts from our Rapid7 SIEM (InsightIDR) that look like the below

Account <user> had INBOUND firewall traffic from 71.6.199.23 (tracked in BlockList.DE - WizardCyber.com (Search: WizardCyber.com)) to <serverIP>

3:46:31 PM

Firewall activity was detected from 71.6.199.23:29011 to <serverIP>:8086. Connection status is ACCEPT. Direction is INBOUND.

I have a firewall rule that allows a couple of IP addresses access to port 8086 on that server, if I attempt a port scan or to connect to that port via TELNET from an IP outside of the list I get a connection refused or Port is not open result.

To me this suggests the rule is working as intended and the connection isn't actually accepted and passed through to the internal server, below is the log entry Rapid7 has ingested from the SonicWall.

16 Jul 2021 15:46:32.033{ "timestamp": "2021-07-16T15:46:31.000Z", "asset": "<servername>", "source_address": "71.6.199.23", "source_port": "29011", "destination_address": "<serverIP>", "destination_port": "8086", "direction": "INBOUND", "geoip_city": "Coronado", "geoip_country_code": "US", "geoip_country_name": "United States", "geoip_region": "CA", "source_data": "<134> id=firewall sn=18B169967280 time=\"2021-07-16 16:46:31\" fw=213.249.164.90 pri=6 c=262144 m=98 msg=\"Connection Opened\" app=49349 appName='Service Tivo TCP Data' n=5765142 src=71.6.199.23:29011:X1 dst=<serverIP>:8086:X0 proto=tcp/8086 sent=46 dpi=0 fw_action=\"NA\"" }

Can anyone confirm/deny my thoughts on this?

Category: Firewall Management and Analytics
Reply
Tagged:

Best Answer

  • CORRECT ANSWER
    CheesemanCheeseman Newbie ✭
    Answer ✓

    Support got in touch with me and explained that this behaviour is normal. See closing comments below.


    Problem Description :

    query on log messages on firewall


    Action/Analysis :

    Closed


    Impact :

    no impact


    Data:

    Customer is noticing CONNECTION OPEN logs for rules which has DENY action

    informed the customer that for every connection made a OPEN log is generated even though traffic would be dropped

    Customer acknowledge

Answers

Sign In or Register to comment.