Regarding the NSP Signature 0x4880ee00 ( Botnet: Connection to Fast Flux Agent Detected ) :
Was this signature recently updated? Since June 9th I have been seeing thousands of Fast flux agent detected alerts. Exporting a list of all Public IPs is also not so easy with the tools provided in the NSM. However investigating the alerts I see that most of these are NTP requests and being blocked on our Internet facing firewall anyway. So this makes me question if this actually is legitimate threat traffic and just a massive amount of new false positives.
Since these alerts are new in my logs. Has the BTP value Or Severity changed for this alert? Is there a way to audit the signature changes or see a changelog when a new Signature database is installed?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.