2 Replies Latest reply on Oct 18, 2012 3:30 AM by bigpunn25

    HTTPClientAccess Alerts After some advice

    bigpunn25

      I'm after some advice please; I’m seeing a lot of alerts being generated
      under the default filter called HTTPClientAccess, inferenceRule Web Traffic Content Filter Infer HTTP Client Access alert,  going outbound to a whole range of different IP addresses.

       

       

      I've read the descriptive text next to the alert which gives a bit more
      information on what it means, and the fact the alerts reflect malicious or
      abusive usage of network resources.

       

       

      But what I’m trying to find out, is what is the best way to prevent this
      error and put measures in place, I’m getting about 300 alerts a day just for
      this one filter. I think this has always been an issue since SolarWinds log and
      event manager was installed, just wondering if anyone else had come across this
      before and what measures they put in place other than ensuring the servers are
      all patched.

       

       

      Many Thanks,

       

       

      Simon

        • Re: HTTPClientAccess Alerts After some advice
          nicole pauls

          Hey Simon,

           

          What's probably happening here is the default rule looking for excessive Web Traffic from the same system needs to be tweaked or disabled for your environment. (Congratulations, you see a lot of web traffic!? )

           

          The rule basically says: if you receive more than 10 web requests from the same person in 10 seconds from the proxy server/content filter, escalate it to suspicious activity. The 10 in 10 seconds might need to be higher (or disabled if you don't care about that sort of thing). This rule lives in SolarWinds Rules and is called "Web Traffic Content Filter Infer HTTP Client Access alert". You can disable it there, then clone a copy and tweak the threshold if you want to keep it around.