Clicky

hi expert$$$$$
what to do with this kind of alert?

should we manually increase the Risk Rating or manually put the tcp rest? block the ip directly

some time these kind of IPs are ISP's Proxy, if you block them other legal user will not be able to work, how to ensure no legitimate traffic is blocked

asked 11/27/2011 07:53

osloboy's gravatar image

osloboy ♦♦


5 Answers:
What is the alert?  What is the target?  I would tune the IPS based on the target, increasing the risk rating as necessary for critical targets.  I agree I wouldn't just automatically block the source IP for any alert.
link

answered

jmeggers's gravatar image

jmeggers

sorry forgot to dig the image
IPS-alert.jpg
  • 14 KB
  • Alert
Alert
    link

    answered 2011-11-28 at 06:22:45

    osloboy's gravatar image

    osloboy

    Whats the MSS size at your site? Did you look up the IP address of the attacker? Did you report this to CIRT or any other group that track attacks to see if this is common or uncommon?
    link

    answered 2011-11-28 at 22:51:36

    SteveJ's gravatar image

    SteveJ

    MSS is standard, CiRT not yet
    link

    answered 2011-12-03 at 10:53:58

    osloboy's gravatar image

    osloboy

    no response

    link

    answered 2011-12-04 at 21:29:36

    osloboy's gravatar image

    osloboy

    Your answer
    [hide preview]

    Follow this question

    By Email:

    Once you sign in you will be able to subscribe for any updates here

    By RSS:

    Answers

    Answers and Comments

    Tags:

    ×85

    Asked: 11/27/2011 07:53

    Seen: 300 times

    Last updated: 12/16/2011 05:18