pointvast.blogg.se

Looking in the comments section on the AlienVault threat analysis page is going to hopefully help you get some insight into this particular IP. The next logical thing to look at is “Well, is this activity ongoing?” Is this something that we’re seeing on a regular basis, or was it a one-time thing? Trying to figure out how consistent is this behavior is your next step. However, if it’s a known malicious website that’s feeding, or pushing down exploit kits to people that are browsing the site, then you should be be more concerned with that, and spend a bit more time digging into it. You shouldn’t run off and reimage the host just based on the threat alert associated with a scanning host. If it’s just a scanning host, it’s probably not a huge issue.

So, is this a website that’s serving some kind of exploit kit, or is it a scanning host. You need to consider the context associated with this. Is it a malware IP, or a command and control server? Is it a spamming IP, or is it just scanning the internet? All of that information will be provided there. The first place to start is really digging into that threat details page, and spending some time digging into the details associated with the activity that’s been reported for this host.