This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ExtremeAnalytics "Suspicious IP-ET"

ExtremeAnalytics "Suspicious IP-ET"

Go to solution
Anonymous
Not applicable

‎03-02-2019 10:29 PM

Hi,

Have an entry in ExtremeManagement alarms that states the following:

code:
Alert Name:
Suspicious IP-ET

Seen Count:
85563
 
ThreatType:IP,ThreatSubType:,ThreatSeverity:Warning,ThreatSource:ET,ThreatInitiator: 222.222.222.222, ThreatInitiatorPort: 35596, ThreatTarget: 111.111.111.111, ThreatTargetPort: 80, Value: Suspicious IP: 222.222.222.222


I've changed the IP address to what's actually in the log.

Seems to suggest something untoward is happing to the customers IP on port 80, but not sure exactly what and how Analytics is identifying it as suspicious.

Any ideas?

Many thanks
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Ronald_Dvorak
Honored Contributor

‎03-04-2019 12:11 PM

Hi Martin,

if you check the alarm config you'd see that the alarm is triggered by "reputation threat detected".

A search in the XMC online help (put in the XMC IP) brings you to the "IP Reputation Dashboard" section.

https://:8443/Clients/help/content/oneview/docs/analytics/analytics_tab/dashboard/c_pur_analytics_tab_dashboard.htm?#IPRep


9b2654a7cf2449f7ac5e6c5731f80f7f_6603803b-05fc-4faa-a4f0-5746feb76833.png


For me it looks like that the 222.222.222.222 is on the list of untrusted IPs (because it's from China ?).

What I don't get is how I'd acceess this IP Reputation Dashboard because I don't see it on my XMC.

-Ron

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Anonymous
Not applicable

‎04-09-2019 01:35 PM

Added this another post, but just repeating here for consistency:

https://community.extremenetworks.com/extrememanagement-230297/manage-suspicious-ip-et-continuous-ev...

I've created this dashboard through the report designer, which I believe gives me the detail in what the Suspicious IP-ET events are:

763085125f3e425a8facac07c0c4475a_03897870-906a-42bd-8816-94a3d5b345a2.png


And pre-built one:

763085125f3e425a8facac07c0c4475a_cd3afc1d-c59a-441f-abda-ca6cb8cabb30.png

0 Kudos

Go to solution
Anonymous
Not applicable

‎03-28-2019 01:58 PM

Hi Ron,

Sorry, didn't get back you to say thanks for the reply... Thanks 🙂

Did you have any luck finding the dashboard? I'm running version 8.2.4.42 and still can't see it?

Perhaps its due in a later release?

Thanks
0 Kudos

Go to solution
Ronald_Dvorak
Honored Contributor

‎03-04-2019 12:11 PM

Hi Martin,

if you check the alarm config you'd see that the alarm is triggered by "reputation threat detected".

A search in the XMC online help (put in the XMC IP) brings you to the "IP Reputation Dashboard" section.

https://:8443/Clients/help/content/oneview/docs/analytics/analytics_tab/dashboard/c_pur_analytics_tab_dashboard.htm?#IPRep


9b2654a7cf2449f7ac5e6c5731f80f7f_6603803b-05fc-4faa-a4f0-5746feb76833.png


For me it looks like that the 222.222.222.222 is on the list of untrusted IPs (because it's from China ?).

What I don't get is how I'd acceess this IP Reputation Dashboard because I don't see it on my XMC.

-Ron
0 Kudos
GTM-P2G8KFN