Curious, After seeing a day of alerts from SEP on the server, we now daily get handful of alerts that malicious activity is attempting to be done on web server. SEP is blocking it but I fear that eventually they may hit it with something that will not be blocked. What can I do to prevent this daily access? This all happened after a day that seen "mass scanner" attack blocked on this same server. example log below.. IP does change but always foreign
A high-risk intrusion was detected on server.domain.local within group Modified Policy Users on 12/11/2019 12:59:11 AM.
IPS Alert Name
Attack: an intrusion attempt was blocked.
Status
Blocked
Attack Signature
Web Attack: Masscan Scanner Request
Targeted Application
SYSTEM
Attacking IP
80.82.70.118
Targeted IP
192.168.10.6
No comments:
Post a Comment