Unusual server port activity Internal Alerts Potential False Positives

cancel
Showing results for 
Search instead for 
Did you mean: 

Unusual server port activity Internal Alerts Potential False Positives

L2 Linker

I have the thresholds for Unusual Server Port Internal activity set to the most conservative settings to minimize false positives but it seems like the highest port consistently gets flagged as "unusual".  In the example below there are 15 ports labeled as usual and the Kafka port (9092) is being flagged as unusual.  Upon further investigation we always find out that this is the intended purpose and traffic volumes support that this is normal activity.  For example another similar alert was fired off on MongoDB but going into the investigate tab I can see months and hundreds of Gb of Mongo DB traffic so it should NOT have flagged this traffic coming from a host labeled as MongoDB (not that the naming convention has anything to do with it but I had to figure out if the resource this was connected to was legit a MongoDB server and client).

I may enter a feature request to give "allowed ports" check box based on alerts generated for Unusual server port Internal.

 

 

UnusualHighPortActivity.png

0 REPLIES 0
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!