Internet Traffic Help

I have only just gotten to work with these tools and am new to reading this data so bare with me. I am trying to get my firewall/router and bandwidth/traffic to run as efficiently as possible. When reviewing today after losing connection multiple times I was reading the security event details. I need help in determining what I am reading and how, if any, to fix them. At this moment I have 1916 Scans/Probes events, 145 DoS/Flash Crowd events, 56 Suspect Flow events, and 24 Bad Src-Dst events. Which ones do I worry about and what do I do?

One event
Event two
JenniferIT DirectorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

eeRootCommented:
These two errors, "invalid src-dst flows" & "TCP null voilations" are not specific enough to make a conclusion.  But the range of ports that are listed suggest this may be traffic from port scanners or port knockers.  You do want to look at the sources of these alerts and what firewall rules are allowing this traffic.  It may be the a firewall rule it too lax, and is allowing unwanted connections.

Also, is 172.16.x.x an IP range of your equipment?  Some 172.16 addresses are listed as sources of this traffic, along with the public IP's.
0
JenniferIT DirectorAuthor Commented:
Thanks for the info eeRoot. I will look at the firewall rules. Yes 172.16.x.x is an internal IP range. I didn't notice until you mentioned that these were in the source and destination list as well. I see the IP location and knew it was one of ours. I guess one question would be, while these don't look good are they detrimental? Any thoughts on why my equipment ips are showing up in with the public ips? Do you have any suggestions on what I may need to set in the firewall rules? It was setup by an outside consultant and I took it over. I am good with the firewall itself and making modifications but sometimes need direction on making it more efficient.
0
eeRootCommented:
I would start with checking for rules in the firewall that would be allowing these ports.  And also, make sure the servers are fully patched & have up to date antivirus software on them.  Are these Windows or Linux servers?  Either way, there are software tools that can be installed on the server to show what processes are creating netowrk traffic.  You might be able to ID the process that is creating this traffic.  And contact the IPS vendor for more info on these messages.  They should be able to determine if these are incorrect or legitimate warnings.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

JenniferIT DirectorAuthor Commented:
Sorry I said these IPs were my equipment, they are, but they are desktops. All of my servers are Windows servers and are fully patched and up to date on virus/endpoint software. Now my desktops unfortunately are as patched as they can be since I still have more than a handful with XP. I will look at the IPS log of the individual machines and see if there is anything being logged.

Any other tips?
0
JenniferIT DirectorAuthor Commented:
Just a note: I am using an ASA5510 and Manage Engine NetFlow for the reporting tool.
0
JenniferIT DirectorAuthor Commented:
Does anyone else have any input on these alerts? I have been reviewing and trying to determine how to adjust. There does seem to be less. Here are some I have from yesterday...

invalid src-dst - this one I am really not sure what to do with, there are a bunch of them and they have a bunch of source/destination ips listed including my external ips. How do I fix?
invalidsrc-dst.pnginvalidsrc-dst-2.png
tcp null port scan - this one concerns me because it is my websites external ip that is the offender. How to fix?
nullport.png
possible dos/flash crowd - the offender ip's are both workstations on my network, what is it and how do I fix it?
dosflash.png
0
eeRootCommented:
If the source devices are Windows machines, you may want to monitor the network traffic on one of the listed PC's or servers and see if you see any suspicious traffic.  And at this point, I would contact ManageEngine and see if they consider these alerts high risk, or if they are informational only or false alerts.
0
JenniferIT DirectorAuthor Commented:
I have started monitoring the machines more since I am able to narrow the individuals ones down more. I have not contacted Manage Engine one because they do list the type of alert that it is.
Thanks for the help, I will just have to search more for a solution.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JenniferIT DirectorAuthor Commented:
My question hasn't really been answered. Between the information here and other information I have suggestions and ideas however it seems as though I am going to have to come up with a solution. So partial points.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.