Untangle: Suspicious Alerts
Reference:
https://support.untangle.com/hc/en-us/articles/360004057653-What-do-Suspicious-Activity-Alerts-mean-
What Do Suspicious Activity Alerts Mean?
If you are receiving a Suspicious Activity alert, here is what you need to know.
Overview
Untangle has many default alerts configured. They are located under Config > Events > Alerts.
Two of the default alerts are labeled as "Suspicious Activity":
The default configuration for these alerts is set to notify you whenever the number of sessions from a single IP, to the specified protocol, exceeds a given threshold. In this case that threshold is 20 sessions over 60 seconds.
NOTE: These alerts will be triggered even if the Untangle blocked each session.
The only reason that one IP would ever hit that threshold is if they are attempting some sort of brute-force entry.
Was the traffic blocked?
Now you need to see if the session was allowed or if it was blocked. If you are currently logging blocked traffic, then you can look for that blocked session in the reports.
Enable Logging of Blocked Sessions
To determine if you are logging blocked traffic, go to Config > Network > Advanced > Options:
If you were already logging blocked sessions, you may be able to see the suspicious activity in the reports. If not, enabling it now will not help.
However, if you take the information provided by the alert that was sent to you, you can look in the reports to see what happened with it. If it was blocked and you are not logging blocked sessions, then you won't be able to find anything. (Which is GREAT!)
How to read Alert data
Here is how you can see what happened with that session.
In the alert below you will find a trove of information.
1. This is the destination IP of the session. It is the device that they were attempting to connect to. In reports this will be the "Server".
2. This is the IP of the device that was attempting to connect into your network. In reports, this will be "Client".
3. This is the exact time that the number of sessions reached the threshold to trigger the alert.
Taking the information from the alert, you can look into the reports for that date, time, and/or IP addresses.