There are three likely scenarios that could have caused this message to appear:
- First, in the best case, it's a false alarm. Intrusion detection systems (IDSes) often generate false positive alerts. In order to determine if this is the case on your systems, you'll have to look at the details of the alerts and determine whether the packets triggering the alerts appear to be legitimate activity for your environment. What may be considered a legitimate packet on one network could be a rogue packet on another.
- The second possibility is that the intrusion attempt came from an infected system on the local network. If this is the case, the alert should still provide you with valuable information: the address of the system causing the alert. You should check that system for any signs of malicious activity.
- The final possibility is that your systems received the attack from outside your local network. In this case, you likely have a misconfiguration on your network firewall that allowed the traffic to reach the endpoint. Check your configuration and ensure that external traffic is not allowed into networks hosting endpoint systems without the use of a VPN.
Good luck tracking down the source of this attack!
Dig Deeper on Network intrusion detection and prevention (IDS-IPS)
Related Q&A from Mike Chapple
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading