0
This is not so much of a OSSIM question, but more of a Linux > Debian question.
So I'm running OSSIM 5.7.6 on Debian 8 on a VM and as of late, the server repeatedly tries to connect to two IP-addresses that is already flagged and prevented by OTX signatures. Which creates new alarms in the system periodically.
All alarms point to a seemingly non-existent filename: 5b0d8775e81751768fc457f4
I've tried to search for the file through: find, locate, WinSCP 'find files' but no luck.
And because the alarm came from a OTX signature, this prevented my server from being infected with trojan.
The server tried to communicate with 13.33.96.251 and 13.33.96.153 through HTTPS: screenshot of SIEM logs
I would like to find this file (to analyze) and stop the alarm from re-occuring periodically, any help is much appreciated.
I've simply blocked the two addresses in our firewall, as a temporary fix. – chameleon – 2020-02-17T13:22:35.363