HTTPClientAccess Alerts After some advice

bigpunn25

I'm after some advice please; I’m seeing a lot of alerts being generated
under the default filter called HTTPClientAccess, inferenceRule Web Traffic Content Filter Infer HTTP Client Access alert,  going outbound to a whole range of different IP addresses.

I've read the descriptive text next to the alert which gives a bit more
information on what it means, and the fact the alerts reflect malicious or
abusive usage of network resources.

But what I’m trying to find out, is what is the best way to prevent this
error and put measures in place, I’m getting about 300 alerts a day just for
this one filter. I think this has always been an issue since SolarWinds log and
event manager was installed, just wondering if anyone else had come across this
before and what measures they put in place other than ensuring the servers are
all patched.

Many Thanks,

Simon

FormerMember

Hey Simon,

What's probably happening here is the default rule looking for excessive Web Traffic from the same system needs to be tweaked or disabled for your environment. (Congratulations, you see a lot of web traffic!? )

The rule basically says: if you receive more than 10 web requests from the same person in 10 seconds from the proxy server/content filter, escalate it to suspicious activity. The 10 in 10 seconds might need to be higher (or disabled if you don't care about that sort of thing). This rule lives in SolarWinds Rules and is called "Web Traffic Content Filter Infer HTTP Client Access alert". You can disable it there, then clone a copy and tweak the threshold if you want to keep it around.