Your SEP system has recognized a lot of Intrusion Prevention (IPS) events. You can check this more thoroughly with the SEPM logs: Monitors > Logs > Network Threat Protection > [Log Content] Attacks. Under "Advanced settings", you can limit the results to Intrusion Prevention events.

Mithun Sanghavi Symantec Employee Technical Support Accredited

Top Source of Attact - Comment:07 Dec 2012 : Link

Hello,

I want to know in the report that "attack host" coloum is source of attack host or destination attack host

It it is source then who is destination host and it is destination then who is source host

Does anything critical in this report to take a action or this is a normal report

This report consists of a pie chart with relative bars that shows the top hosts that initiated attacks against your network. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks.

You use this report to identify which hosts attack your network most frequently.

https://www-secure.symantec.com/connect/forums/what-difference-between-top-sources-attack-and-risk-distribution-attacker

As per your report, the Host with IP 10.12.124.177 is responsible for the highest number of Attacks.

In fact, checking the Top 5 machines, those are -

10.5.24.161, 10.4.12.163, 10.4.13.56 and 10.3.33.34

Plan of Action:

Isolate the machine the Host with IP 10.12.124.177 from the network.
Update the system with latest Microsoft patches, SEP definition and other application patches.
Scan the system in safe mode.
Reconnect the machine to the network

Secondly, work on the steps provided in the Article below:

Best practices for troubleshooting viruses on a network

http://www.symantec.com/docs/TECH122466

Security Best Practices for Protecting a Business Environment from Common Threats

http://www.symantec.com/docs/TECH105236

If that computer is isolated (taken off line) and still shows up in the reports, then this definitely sounds like old data/FP. You may wish to contact Support. There are no known issues about old data showing up in that report- Support can help you investigate completely.

If that machine is taken out of the equation and stops appearing in the report, and then reappears when it has been added back to the network... it's probably a legitimate indication of continuing trouble on the computer.

It may help to examine the logs of other computers on that one's subnet.... do they show continuing log entries about attempted intrusions coming from it?

(For new readers of this thread: the "Top Sources of Attack report" is used to identify which hosts attack your network most frequently. This report consists of a pie chart with relative bars that shows the top hosts that initiated attacks against your network. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks. Some more info can be found on http://seer.entsupport.symantec.com/docs/323525.htm )

Hope that helps!!

Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3

Twitter: @mithun_sanghavi

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a

Top Source of Attact

Comments 7 Comments • Jump to latest comment

Would you like to reply?

Links