Are there something wrong with attackers?

Unanswered Question
Jul 1st, 2008

When I look at the events I see %95 of the attackers from my inside network. Is it wrong or is it normal? Shouldnt I see the attackers from outside real ips?

thx

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
shridhar76 Wed, 07/02/2008 - 03:03

Hi ,


In firewall case you can not check the real ip because the outside ip may be spoofed . Some time it may be real when some hackers wants to touch your network from their public domain.


As per my suggestion just imply the Reject rule in this case user can not touch your interface and you will be safe.


Shridhar

mhellman Wed, 07/02/2008 - 04:48

You don't provide enough details (what sig is firing), but it is perfectly normal for an untuned IDS/IPS to have thousands of false positives, many of which will be sourced from your own network.


You should create an event action filter that has your network space as a source and add any signatures that are false positives.

Actions

This Discussion