Endpoint SWAT: Protect the Endpoint Community

 View Only

  • 1.  SEP 12.1.x: How to get support for IPS alerts

    Posted Sep 23, 2014 10:28 AM

    Hi all. 

    I am wondering, canI engage any level of Symantec tech support to evaluate the impact of IPS alerts when I get them?  Beyond your basic level 1 warranty support, which I am guessing will not be able to do this, is there anything from the SOS team (since I am a SEP SMB Specialist...ha! :) ) or some other higher level support? 

    From time to time I see IPS alerts on a customer's network and I do what I can to read the details in the Monitors area and so on, then read the Symantec website description for the attack, but almost always it results in basically completely wasting my time since nothing actually comes out of doing that . There are no remedies provided, and we all know that there's no point in trrying to trrace the IP.  So what, it's an IP in Brazil or something, yay.  Not like I can call them up and ask them to go away. 

     

    But the structure of the alert is what confuses me most.  It's obvious when an IPS alert says that an inbound attack occured from external IP to internal IP - this I figure is just a user going to a website that was infected perhaps. 

    But often I notice that they are ones that relate to the internal IP address of the Exchange server.  The details say the attack is Outbound however, so it lists the internal IP of the Exchange server, and then some external public IP of the supposed target.  The ports listed as 80 for the internal IP, and some higher range one for the external IP. 

     

    However since the Exchange server has Outlook Web App, who knows maybe the SEP IPS misinterprets the attack direction or something - like maybe somebody tries to exploit the OWA web interface in some way.  Beats me. 

    I can always post the specific attack type and mask the private information, but really what I want to know is whether or not I can get any help from Symantec support when I run into these - both to help me understand what's really happening, and to of course help remedy it should there be a bigger issue than a simple IPS alert. 

    And as a side question - how do you, the reader, as I hope a SEP admin for yourself or customers, deal with IPS alerts?  What is your step-by-step? 

     

    Thank you. 

     

     



  • 2.  RE: SEP 12.1.x: How to get support for IPS alerts
    Best Answer

    Posted Sep 23, 2014 10:33 AM

    Yes, they will assist you with this.



  • 3.  RE: SEP 12.1.x: How to get support for IPS alerts
    Best Answer

    Posted Sep 23, 2014 10:46 AM

    Have you also reviewed the IPS user guide here? http://www.symantec.com/docs/DOC6404

    Feel free to post the alerts and folks can take a look here as well.. IPS is generally fairly easy to understand.



  • 4.  RE: SEP 12.1.x: How to get support for IPS alerts

    Posted Sep 23, 2014 01:36 PM

    Thanks guys.  It amazes me how wordy my posts can get.  Thanks for much for the IPS guide I'll have a look.  Good to know I can call up anytime as well.  I'll post the specific Exchange one to a new thread shortly.