What is the cause of an 'intrusion attempt' message?

Have you ever received a message from your endpoint security product stating that an intrusion attempt has been blocked? Mike Chapple gives three possibilities for the alert's likely cause.

We have about 25 computers on our network. All have client antivirus security installed. Today, on several of them, I received a pop-up stating that an intrusion attempt has been blocked. This is the first time that I received this message. What could be some possible causes for this?
First, the good news. The message you received indicates that your endpoint security product is working properly. It detected and blocked the intrusion attempt, ensuring the security of that system.

There are three likely scenarios that could have caused this message to appear:

  • First, in the best case, it's a false alarm. Intrusion detection systems (IDSes) often generate false positive alerts. In order to determine if this is the case on your systems, you'll have to look at the details of the alerts and determine whether the packets triggering the alerts appear to be legitimate activity for your environment. What may be considered a legitimate packet on one network could be a rogue packet on another.
  • The second possibility is that the intrusion attempt came from an infected system on the local network. If this is the case, the alert should still provide you with valuable information: the address of the system causing the alert. You should check that system for any signs of malicious activity.
  • The final possibility is that your systems received the attack from outside your local network. In this case, you likely have a misconfiguration on your network firewall that allowed the traffic to reach the endpoint. Check your configuration and ensure that external traffic is not allowed into networks hosting endpoint systems without the use of a VPN.

Good luck tracking down the source of this attack!

More information:

  • A SearchSecurity.com reader asks Mike Chapple, "What are the differences between intrusion detection and intrusion prevention?"
  • Learn the best practices for creating an IDS and maintaining a signature database.
  • Dig Deeper on Threat detection and response

    Networking
    CIO
    Enterprise Desktop
    Cloud Computing
    ComputerWeekly.com
    Close