There are three likely scenarios that could have caused this message to appear:
- First, in the best case, it's a false alarm. Intrusion detection systems (IDSes) often generate false positive alerts. In order to determine if this is the case on your systems, you'll have to look at the details of the alerts and determine whether the packets triggering the alerts appear to be legitimate activity for your environment. What may be considered a legitimate packet on one network could be a rogue packet on another.
- The second possibility is that the intrusion attempt came from an infected system on the local network. If this is the case, the alert should still provide you with valuable information: the address of the system causing the alert. You should check that system for any signs of malicious activity.
- The final possibility is that your systems received the attack from outside your local network. In this case, you likely have a misconfiguration on your network firewall that allowed the traffic to reach the endpoint. Check your configuration and ensure that external traffic is not allowed into networks hosting endpoint systems without the use of a VPN.
Good luck tracking down the source of this attack!
Dig deeper on Network Intrusion Detection (IDS)
Related Q&A from Mike Chapple, Enterprise Compliance
Should companies obtain U.S. security clearance to join the Enhanced Cybersecurity Services program? Mike Chapple offers his perspective.continue reading
Does a Web application security assessment termed 'compliance ready' seem too good to be true? Learn its role in an enterprise compliance program.continue reading
Learn how hiring the right PCI DSS-compliant service providers, especially payment services providers, can reduce your compliance burden.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.