4 Replies Latest reply on Mar 14, 2014 7:02 AM by chayucas

    Standard reports - Top N Attacks

    chayucas

      Can someone explain me the difference between the two graphs showed in the Top N Attacks report ? what is the main difference between them? One definitively is showing the blocked attacks but the other one is including those ones plus many other ones.

       

      I attached my report. Thanks!

        • 1. Re: Standard reports - Top N Attacks
          cedricr

          Hi chayucas,

           

          you are correct, the first is showing all blocked attacks (attack result = blocked). The second one is showing all alerts with any attack result (blocked, successful, failed, inconclusive, n/a).

           

          Don't know what to say more about it, as it is quite standard report. If you have specific questions, you can add them here and we will try to help you.

           

          Best regards,

          Cedric

          • 2. Re: Standard reports - Top N Attacks
            chayucas

            Thanks for the response, so the second graph is showing that practically 350K Denial of service attacks were successful, failed, etc..for example since the data does not appear in the first graph right? but we don't know the details because this report is not broken by alert type...

             

            I'm asking this because the person who gave me the report is 100% confident that all the attacks were blocked, and I want to demonstrate that is not necessary the truth. My IT Audit team is concerned about this since the last security assessment.

             

            In summary, is this report the reflection of what is really going on?

             

            Thanks again!

            • 3. Re: Standard reports - Top N Attacks
              cedricr

              Hi chayucas,

               

              without knowing the whole environment you can never state, if IPS can refelct what is going on in the company network. Most of the attacks are policy violations and therefore not business critical.

               

              The DoS attack on first place has a quite high false positive rate and is therefore categorized as severity low. Check if DNS server are using BIND server below 9.2.2, if not the case, all attacks have failed.

               

              The MSSQL SLAMMER worm has to be checked where it is blocked and if any measures have to be taken.

               

              The ZeroAccess Bot is the most critical from that report, as it will probably mean, that there are some clients/server in the company network which are part of the ZeroAccess botnet.

               

              In addition, there can be lots of more critical attacks with a lower number which will never be shown in this report. You should at the three attacks more in detail. The report will give a first vague reflection of the network traffic.

               

              Best regards

              Cedric

              1 of 1 people found this helpful
              • 4. Re: Standard reports - Top N Attacks
                chayucas

                Thank you Cedric, this is very helpful.