cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

NSM attack log events do not show source and destination IPs on some logs

Jump to solution
NSM attack log events do not show source and destination IPs on some logs
1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: NSM attack log events do not show source and destination IPs on some logs

Jump to solution

Hello,

Alerts shown without any source and destination IP address are normally suppression alerts. Alert suppression alerts do not show the port, source IP and destination IP.

By default alert suppression is enabled and is configured in Devices | Devices | <choose sensor> | Setup | Advanced | Alert Options.

Alert suppression allows you to set a suppression limit for multiple occurrences of a singular attack for a specific source-destination IP address pair that is detected within a limited time frame. This is also known as Exploit throttling. Exploit throttling limits the number of duplicate alerts that are sent to Manager from a Sensor.

The original alert would have triggered with the source and destination IP address for this attack, but any triggering of the same attack (same source and destination ip address) within a short space of time would result in the suppression alert triggering without any source and destination IP address.

Please find details of alert suppression in NSP guide below:
https://docs.mcafee.com/bundle/network-security-platform-9.1.x-product-guide/page/GUID-62C9EE84-0677...

 

Thanks,

Ian Bryan

View solution in original post

1 Reply
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: NSM attack log events do not show source and destination IPs on some logs

Jump to solution

Hello,

Alerts shown without any source and destination IP address are normally suppression alerts. Alert suppression alerts do not show the port, source IP and destination IP.

By default alert suppression is enabled and is configured in Devices | Devices | <choose sensor> | Setup | Advanced | Alert Options.

Alert suppression allows you to set a suppression limit for multiple occurrences of a singular attack for a specific source-destination IP address pair that is detected within a limited time frame. This is also known as Exploit throttling. Exploit throttling limits the number of duplicate alerts that are sent to Manager from a Sensor.

The original alert would have triggered with the source and destination IP address for this attack, but any triggering of the same attack (same source and destination ip address) within a short space of time would result in the suppression alert triggering without any source and destination IP address.

Please find details of alert suppression in NSP guide below:
https://docs.mcafee.com/bundle/network-security-platform-9.1.x-product-guide/page/GUID-62C9EE84-0677...

 

Thanks,

Ian Bryan

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community