NetWork | ZeroBOX

Network Analysis

IP Address Status Action
116.203.10.69 Active Moloch
149.154.167.99 Active Moloch
164.124.101.2 Active Moloch
184.87.103.42 Active Moloch
GET 200 https://steamcommunity.com/profiles/76561199761128941
REQUEST
RESPONSE

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49164 -> 184.87.103.42:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49170 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.103:49170 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49170 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.103:49169 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.103:49169 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49169 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49171 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 116.203.10.69:443 -> 192.168.56.103:49167 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49164
184.87.103.42:443
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com 10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5

Snort Alerts

No Snort Alerts