ET POLICY HTTP traffic on port 443

[Rod]

Hello,

ET POLICY HTTP traffic on port 443

I've seen a number of alerts for this rule. In the rule, it mentions etrade. The source IP listed is my proxy server, the destination IP is 208.22.87.125. I've looked through the proxy logs and haven't found any hits on etrade's site. Could someone please explain this rule to me and how I might find what is triggering it?

Thanks,
Rod

[Martin Holste]

That's an Akamai address, which hosts a ton of major web sites. The
rule is triggering non-encrypted HTTP traffic using port 443, which is
normally only encrypted traffic. I was just looking at a Trojan
yesterday that did this, so do not ignore these alerts entirely. You
may want to add suppression via the threshold.conf file for this rule
for the Akamai range, but that's tough to do because there are so many
Akamai subnets. You should be able to confirm that the traffic looks
benign through the Sguil transcript.

[Rod]

Thanks, Martin.

On Wednesday, April 25, 2012 9:44:10 AM UTC-4, Martin wrote:
> That's an Akamai address, which hosts a ton of major web sites. The
> rule is triggering non-encrypted HTTP traffic using port 443, which is
> normally only encrypted traffic. I was just looking at a Trojan
> yesterday that did this, so do not ignore these alerts entirely. You
> may want to add suppression via the threshold.conf file for this rule
> for the Akamai range, but that's tough to do because there are so many
> Akamai subnets. You should be able to confirm that the traffic looks
> benign through the Sguil transcript.
>