cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

607
Views
0
Helpful
1
Replies
Matt Roberts
Beginner

Attackers showing inside subnets

All my attackers IP addresses are from my inside network. I never have an external IP show up as an attacker, its all internal. Then the victims are showing external IP addresses. Shouldn't it be the other way around, most of the time.

1 REPLY 1
Sonugnair_2
Beginner

Hi Matt,

I will just explain by an example.

Lets say that you have "ICMP network scan" signature. A person in the internal vlan just launches an ICMP scan for some public IP addresses. Now since the ICMP scan was originated by the internal host and directed againt the external public IP, inside users will be termed as attackers and the targetted system as the victim.

Just another question, what signatures are causing your internal users as the attackers?

Regards