NetWork | ZeroBOX

Network Analysis

IP Address Status Action
104.17.215.67 Active Moloch
104.26.4.15 Active Moloch
164.124.101.2 Active Moloch
34.117.59.81 Active Moloch
94.142.138.131 Active Moloch
GET 200 https://db-ip.com/
REQUEST
RESPONSE
POST 200 https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
REQUEST
RESPONSE
GET 200 http://94.142.138.131/api/tracemap.php
REQUEST
RESPONSE
GET 301 http://www.maxmind.com/geoip/v2.1/city/me
REQUEST
RESPONSE

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49180 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49180 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49180 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49183 -> 104.26.4.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49185 -> 104.17.215.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49182 -> 104.26.4.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49180 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49183
104.26.4.15:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 8d:c8:6e:29:ea:e9:15:f8:85:80:ae:fd:51:f0:44:ca:8c:7d:0c:dc
TLSv1
192.168.56.102:49182
104.26.4.15:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 8d:c8:6e:29:ea:e9:15:f8:85:80:ae:fd:51:f0:44:ca:8c:7d:0c:dc

Snort Alerts

No Snort Alerts