https://community.cisco.com/t5/network-security/attackers-showing-inside-subnets/m-p/2156633#M53860 <P>All my attackers IP addresses are from my inside network. I never have an external IP show up as an attacker, its all internal. Then the victims are showing external IP addresses. Shouldn't it be the other way around, most of the time. </P> Sun, 10 Mar 2019 12:56:27 GMT Matt Roberts 2019-03-10T12:56:27Z https://community.cisco.com/t5/network-security/attackers-showing-inside-subnets/m-p/2156633#M53860 <P>All my attackers IP addresses are from my inside network. I never have an external IP show up as an attacker, its all internal. Then the victims are showing external IP addresses. Shouldn't it be the other way around, most of the time. </P> Sun, 10 Mar 2019 12:56:27 GMT https://community.cisco.com/t5/network-security/attackers-showing-inside-subnets/m-p/2156633#M53860 Matt Roberts 2019-03-10T12:56:27Z https://community.cisco.com/t5/network-security/attackers-showing-inside-subnets/m-p/2156634#M53861 <HTML><HEAD></HEAD><BODY><P>Hi Matt,</P><P></P><P>I will just explain by an example.</P><P></P><P>Lets say that you have "ICMP network scan" signature. A person in the internal vlan just launches an ICMP scan for some public IP addresses. Now since the ICMP scan was originated by the internal host and directed againt the external public IP, inside users will be termed as attackers and the targetted system as the victim.</P><P></P><P>Just another question, what signatures are causing your internal users as the attackers?</P><P></P><P>Regards</P></BODY></HTML> Tue, 30 Apr 2013 18:14:13 GMT https://community.cisco.com/t5/network-security/attackers-showing-inside-subnets/m-p/2156634#M53861 Sonugnair_2 2013-04-30T18:14:13Z