New flood of feodo tracker report alerts

[coriumintl]

Starting yesterday around 3am Eastern, I'm getting a flood of alerts what I think are false positives from most of the machines on my network, they are accessing primarly 23.62.6.88 (a DNS record of a23-62-6-88.deploy.static.akamaitechnologies.com).

transcripts reference crl.microsoft.com with GET /pkli/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Do i want to simply disable this rule, or should i exlude akamitechnologies.com from it?

[Andrea De Pasquale]

Hi coriumintl,
You are right, an Akamai CDN was blacklisted in FeodoTracker.

It appears to have been removed from the website https://feodotracker.abuse.ch/host/23.62.6.88/, so tomorrow it should be removed from signatures too (assuming you're using Emerging Threats open feed).

Anyway, a better place for this kind of questions might be the ETsigs mailing list (https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs) or AbuseCH itself (https://www.abuse.ch/?page_id=4727).

Regards,
-- Andrea De Pasquale

[coriumintl]

Good, I'll sit on it for a couple more days. Didn't know where to go with this one.

Thanks!