Shortly after setting up our Route10 and S24-PoE switch, we’ve been receiving alerts from the Intrusion Detection System regarding “potentially malicious traffic.” I receive dozens of emails a day about it, and I’m unsure what to do regarding it. The one that has been constant is “ET INFO OpenVPN Update Check”—which derives from a family member’s work laptop, and they apparently can’t modify the OpenVPN app. Within just the last few days, we’re now receiving new alerts from “ET USER_AGENTS Steam HTTP Client User-Agent”.
The “Destination” IP for the OpenVPN & Steam alerts has a constantly changing port number.
Are these things I should be concerned about? I’m unfamiliar with what to do in this scenario. Thank you!
Click the Alerts button in the upper right-hand corner
Locate that alert in the list
Then click the eyeball icon to ignore that triggered rule
As a side note, it’s relatively common for ports to get randomized depending on which way the traffic is moving and the protocol in use. Typically the outbound request will have a specific port (e.g. 80 for HTTP or 443 for HTTPS) and the return traffic may have a randomized port.
Thank you! In a scenario where it is not legitimate, aside from removing the software or device from network access, is there anything else I should do to remedy the ‘potentially malicious traffic’? Or is simply removing it all that I should worry about?
