We provided a freshly imaged desktop to an employee who started receiving following notification from SEP12 network threat protection log,
Denial of Service "Smurf" attack detected
The direction is outgoing (from his machine) to s machine (another user PC) which is in a totally different subnet.
As an example originating IP is : 10.x.x.x and the remote host is 172.X.X.X
The protocol is ICMP
I am pretty sure this is false positive, but like to understand what Symantec may have detected as a Smurf attack ?
Is it DHCP traffic ? Even if it is DHCP traffic, the remote host is a PC (not a server)
I like to hear explanations on how this could have happened.
Thanks