I am receiving massive amounts of denied TCP packets and Telnet requests from outside sources EX.Russia,Germany, Netherlands,Venezuela, and some US states. These alerts are coming from a custom filter I created: "TCPTrafficAudit.DestinationMachine=Internal IP".
Apart from creating geo-blocks and restrictions on my firewalls to black list these areas sending packets, is there a configuration I can set on the LEM to block all of these requests? IP would not work since of the scope of the different subnets and blocks flying at me, but possibly an association with the process or the alert type?
Please let me know what you think.
Thank you,
Nickolas