Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Top Source of Attact

Created: 04 Dec 2012 | 7 comments

Hi

We have generated a report for top source of attack which I have attached here

I want to know in the report that "attack host" coloum is source of attack host or destination attack host

It it is source then who is destination host and it is destination then who is source host

Does anything critical in this report to take a action or this is a normal report

 

Regards

 

Comments 7 CommentsJump to latest comment

Srikanth_Subra's picture

Top Source attck means..that is the source only not destination

you may better scan those system to see any virus infections are there

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

Syed saied's picture

HI,

Refer below artical:-

http://www.symantec.com/docs/TECH102539

 

Thanks In Advance...

Syed Saied

If the suggestion has helped to solve your problem, please mark the post as a solution

Syed saied's picture

Hi,

Refer this book page 147.

ftp://ftp.symantec.com/public/english_us_canada/products/symantec_client_security/3.1/manuals/scsadmn.pdf

 

Thanks In Advance...

Syed Saied

If the suggestion has helped to solve your problem, please mark the post as a solution

greg12's picture

"Top source of attack" are the attacking hosts.

You can generate a report for the attacked hosts with "Top Targets Attacked".

Your SEP system has recognized a lot of Intrusion Prevention (IPS) events. You can check this more thoroughly with the SEPM logs: Monitors > Logs > Network Threat Protection > [Log Content] Attacks. Under "Advanced settings", you can limit the results to Intrusion Prevention events.

Mithun Sanghavi's picture

Hello,

I want to know in the report that "attack host" coloum is source of attack host or destination attack host

It it is source then who is destination host and it is destination then who is source host

Does anything critical in this report to take a action or this is a normal report

This report consists of a pie chart with relative bars that shows the top hosts that initiated attacks against your network. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks.

You use this report to identify which hosts attack your network most frequently.

https://www-secure.symantec.com/connect/forums/what-difference-between-top-sources-attack-and-risk-distribution-attacker

As per your report, the Host with IP 10.12.124.177 is responsible for the highest number of Attacks.

In fact, checking the Top 5 machines, those are -

10.5.24.161, 10.4.12.163, 10.4.13.56 and 10.3.33.34

Plan of Action:

  1. Isolate the machine the Host with IP 10.12.124.177 from the network.
  2. Update the system with latest Microsoft patches, SEP definition and other application patches.
  3. Scan the system in safe mode.
  4. Reconnect the machine to the network

​Secondly, work on the steps provided in the Article below:

Best practices for troubleshooting viruses on a network

http://www.symantec.com/docs/TECH122466

Security Best Practices for Protecting a Business Environment from Common Threats

http://www.symantec.com/docs/TECH105236

 

 

If that computer is isolated (taken off line) and still shows up in the reports, then this definitely sounds like old data/FP. You may wish to contact Support.  There are no known issues about old data showing up in that report- Support can help you investigate completely.

If that machine is taken out of the equation and stops appearing in the report, and then reappears when it has been added back to the network... it's probably a legitimate indication of continuing trouble on the computer. 

It may help to examine the logs of other computers on that one's subnet.... do they show continuing log entries about attempted intrusions coming from it?

(For new readers of this thread: the "Top Sources of Attack report" is used to identify which hosts attack your network most frequently. This report consists of a pie chart with relative bars that shows the top hosts that initiated attacks against your network. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks.  Some more info can be found on http://seer.entsupport.symantec.com/docs/323525.htm )

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.