So i'm seeing traffic in my LEM show up that doesn't make sense.
Here's the log entry..
Event Name: ServiceInfo
EventInfo: x.x.x.x [worker] - new_mail: aefc01fbd4f0c23ff5f022771583f1e4 1443132340 <HealthMailbox5d57ec28a15a476093363e5fbf6eccf9@somewhere.com> healthmailbox5d57ec28a15a476093363e5fbf6eccf9@somewhere.com 0 internal 5334 4096 InsertionIP: LEMserver Manager: lemserver DetectionIP: tubes.pl InsertionTime: 14:05:03 Thu Sep 24 2015 DetectionTime: 14:05:03 Thu Sep 24 2015 Severity: 4 ToolAlias: Tippingpoint Connector Discovery InferenceRule: ProviderSID: 1022 ExtraneousInfo: ServiceName: SourceAccount: SourceDomain: InfoMessage: x.x.x.x [worker] - new_mail: aefc01fbd4f0c23ff5f022771583f1e4 1443132340 <HealthMailbox5d57ec28a15a476093363e5fbf6eccf9@somewhere.com> healthmailbox5d57ec28a15a476093363e5fbf6eccf9@somewhere.com 0 internal 5334 4096
I've changed references to systems on my network as well as addresses.
So The detectionIP makes no sense.. we don't use any service called tubes.pl for email.
Also we do not have any tipping point devices...
We do use barracuda spam services but thats not tubes.pl
When I brought this up to support they had me delete this node (tubes.pl) and wait for a bit to ensure it didnt show back up.. Well it came back mysteriously.
Just deleting it again doesn't make sense to me, not that it made sense the first time either but i thought they 'should' know what they are doing.
I need to find out why the heck this keeps appearing as a node when it does not exist on my network..
The ip address it assigns is 185.53.178.6 which is some company in germany.
So either SLEM is broke or my network has been hacked. This seemed to start sometime around updating to version 6.2 so maybe there is a problem with this release.??