critical alert in SIEM
hello. i have a SIEM software that gets syslog data from a sonicwall 5650. i have GEOIP enabled. i see "attacks" registered from Brazil. if Brazil is blocked, shouldn't these events not even show up and just get dropped? or is this logging showing the drop? thanks.
jgrimes SonicWall Employee
Think of of this way. The firewall can't drop it until it arrives at the firewall. If you have logging enabled on Geo-IP, you would see an entry stating that it dropped an IP from a blocked country. Same goes for your SIEM I would expect.
TKWITS Community Legend ✭✭✭✭✭
To expand what JGRIMES said:
What you are seeing is what the IPS engine is reporting as evidenced by the 'description'. Technically, an echo-reply is not an 'attack', the IPS engine is just identifying it as such. You can either configure the Sonicwall IPS feature to not log echo-reply's as attacks, or tell the SIEM to ignore similar reports.1