Solved

Internet Traffic Help

Posted on 2014-07-31
9
202 Views
Last Modified: 2014-08-20
I have only just gotten to work with these tools and am new to reading this data so bare with me. I am trying to get my firewall/router and bandwidth/traffic to run as efficiently as possible. When reviewing today after losing connection multiple times I was reading the security event details. I need help in determining what I am reading and how, if any, to fix them. At this moment I have 1916 Scans/Probes events, 145 DoS/Flash Crowd events, 56 Suspect Flow events, and 24 Bad Src-Dst events. Which ones do I worry about and what do I do?

One event
Event two
0
Comment
Question by:Jennifer
  • 6
  • 3
9 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 40235464
These two errors, "invalid src-dst flows" & "TCP null voilations" are not specific enough to make a conclusion.  But the range of ports that are listed suggest this may be traffic from port scanners or port knockers.  You do want to look at the sources of these alerts and what firewall rules are allowing this traffic.  It may be the a firewall rule it too lax, and is allowing unwanted connections.

Also, is 172.16.x.x an IP range of your equipment?  Some 172.16 addresses are listed as sources of this traffic, along with the public IP's.
0
 

Author Comment

by:Jennifer
ID: 40239582
Thanks for the info eeRoot. I will look at the firewall rules. Yes 172.16.x.x is an internal IP range. I didn't notice until you mentioned that these were in the source and destination list as well. I see the IP location and knew it was one of ours. I guess one question would be, while these don't look good are they detrimental? Any thoughts on why my equipment ips are showing up in with the public ips? Do you have any suggestions on what I may need to set in the firewall rules? It was setup by an outside consultant and I took it over. I am good with the firewall itself and making modifications but sometimes need direction on making it more efficient.
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 40240496
I would start with checking for rules in the firewall that would be allowing these ports.  And also, make sure the servers are fully patched & have up to date antivirus software on them.  Are these Windows or Linux servers?  Either way, there are software tools that can be installed on the server to show what processes are creating netowrk traffic.  You might be able to ID the process that is creating this traffic.  And contact the IPS vendor for more info on these messages.  They should be able to determine if these are incorrect or legitimate warnings.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Jennifer
ID: 40246306
Sorry I said these IPs were my equipment, they are, but they are desktops. All of my servers are Windows servers and are fully patched and up to date on virus/endpoint software. Now my desktops unfortunately are as patched as they can be since I still have more than a handful with XP. I will look at the IPS log of the individual machines and see if there is anything being logged.

Any other tips?
0
 

Author Comment

by:Jennifer
ID: 40246314
Just a note: I am using an ASA5510 and Manage Engine NetFlow for the reporting tool.
0
 

Author Comment

by:Jennifer
ID: 40258745
Does anyone else have any input on these alerts? I have been reviewing and trying to determine how to adjust. There does seem to be less. Here are some I have from yesterday...

invalid src-dst - this one I am really not sure what to do with, there are a bunch of them and they have a bunch of source/destination ips listed including my external ips. How do I fix?
invalidsrc-dst.pnginvalidsrc-dst-2.png
tcp null port scan - this one concerns me because it is my websites external ip that is the offender. How to fix?
nullport.png
possible dos/flash crowd - the offender ip's are both workstations on my network, what is it and how do I fix it?
dosflash.png
0
 
LVL 22

Assisted Solution

by:eeRoot
eeRoot earned 400 total points
ID: 40259879
If the source devices are Windows machines, you may want to monitor the network traffic on one of the listed PC's or servers and see if you see any suspicious traffic.  And at this point, I would contact ManageEngine and see if they consider these alerts high risk, or if they are informational only or false alerts.
0
 

Accepted Solution

by:
Jennifer earned 0 total points
ID: 40263835
I have started monitoring the machines more since I am able to narrow the individuals ones down more. I have not contacted Manage Engine one because they do list the type of alert that it is.
Thanks for the help, I will just have to search more for a solution.
0
 

Author Closing Comment

by:Jennifer
ID: 40272061
My question hasn't really been answered. Between the information here and other information I have suggestions and ideas however it seems as though I am going to have to come up with a solution. So partial points.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IPv6 and IPv4 Subnetting scheme 4 79
Internet Connection -- PING testing ? 1 62
Simultaneous work of Wi-Fi and LAN on Win10 laptop 4 69
DHCP Lease/Reservations 3 37
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question