cancel
Showing results for 
Search instead for 
Did you mean: 

Suspicious host ::1 ??

Jump to solution

Hi,

I have correlation rules firing up about suspicious host for ::1. Apparently this would be in the watchlist: "Botnet - Bot". This doesn't make any sense and generates a lot of false positives, also with other rules.

Why is this there? Please find a screenshot attached

Kind regards

Jo

1 Solution

Accepted Solutions
jaimen
Level 9
Report Inappropriate Content
Message 6 of 12

Re: Suspicious host ::1 ??

Jump to solution

After a quick investigation into the referenced watchlist we see the IPv4 address of 0.0.0.1 currently on the list but being displayed as ::1. 

We have identified this as a display issue and are working with engineering to resolve.

Thank you for the feedback and screenshot to help us quickly identify the issue.

11 Replies
ksudki
Level 10
Report Inappropriate Content
Message 2 of 12

Re: Suspicious host ::1 ??

Jump to solution

Hi,

Noticed I had same issue in the correlation rule.

What I did was to modified the rule and add a filter on source IP not in ::1 ?

I do not know why they added it to the Botnet list as it is the ipv6 loopback address (like 127.0.0.1 in ipv4)

Regards

Re: Suspicious host ::1 ??

Jump to solution

Thanks your feedback is appreciated. However it would force modifiying tons of rules, this doesn't seem like the good solution. I was thinking of adding ::1 to the "local network" under assets. Still I don't understand why it's there in the first place, furthermore I couldn't add ::1 in there anyway

ksudki
Level 10
Report Inappropriate Content
Message 4 of 12

Re: Suspicious host ::1 ??

Jump to solution

I did not see many rules triggered with that issue.

I made a copy of the original rule and added that filter to workaround this in the meanwhile. If you don't want to do so, you can simply filter out the view by doing a negative filter on source IP ::1.

Maybe you should consider opening a ticket to the support in order to modify this watchlist or to clarify the situation.

Regards

Re: Suspicious host ::1 ??

Jump to solution

I had at least 4 rules triggering, I hope a specialist here replies me with a solution Furthermore I thought I could use ipv6 addreses, but I cannot fill them in the "local network" under assets. Maybe I'm just missing something here.

jaimen
Level 9
Report Inappropriate Content
Message 6 of 12

Re: Suspicious host ::1 ??

Jump to solution

After a quick investigation into the referenced watchlist we see the IPv4 address of 0.0.0.1 currently on the list but being displayed as ::1. 

We have identified this as a display issue and are working with engineering to resolve.

Thank you for the feedback and screenshot to help us quickly identify the issue.

Re: Suspicious host ::1 ??

Jump to solution

Hi Jaimen,

That is great! It's clearly a false positive in this case. I think it should be removed from the list or only interpreted when it's really ipv4

Re: Suspicious host ::1 ??

Jump to solution

Hi,

Any update on this? It keeps giving me at least 5 types of false positives each day with correlation. It's a terribly annoying bug

Re: Suspicious host ::1 ??

Jump to solution

Hi jo_impakt

::1 is IPv6 for localhost (127.0.0.1).  It can also be written as ::1/128 (https://blog.icann.org/wp-content/uploads/2010/07/ipv6-address-types.pdf)

You must have systems using IPv6 in their stacks.

Re: Suspicious host ::1 ??

Jump to solution

Hi rbkinsey,

I don't see how this relates to the question

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community