There are three likely scenarios that could have caused this message to appear:
- First, in the best case, it's a false alarm. Intrusion detection systems (IDSes) often generate false positive alerts. In order to determine if this is the case on your systems, you'll have to look at the details of the alerts and determine whether the packets triggering the alerts appear to be legitimate activity for your environment. What may be considered a legitimate packet on one network could be a rogue packet on another.
- The second possibility is that the intrusion attempt came from an infected system on the local network. If this is the case, the alert should still provide you with valuable information: the address of the system causing the alert. You should check that system for any signs of malicious activity.
- The final possibility is that your systems received the attack from outside your local network. In this case, you likely have a misconfiguration on your network firewall that allowed the traffic to reach the endpoint. Check your configuration and ensure that external traffic is not allowed into networks hosting endpoint systems without the use of a VPN.
Good luck tracking down the source of this attack!
Dig Deeper on Threat detection and response
Related Q&A from Mike Chapple
Examine the important differences between stateful and stateless firewalls, and learn when each type of firewall should be used in an enterprise ... Continue Reading
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading