27
©
SOLIDA SYSTEMS INTERNATIONAL 2017
9.2.3 Critical severity (colored red in the GUI)
Critical events will be generated if the appliance detects malicious activities occurring inside the
network. This would indicate the network has been compromised. Where malware is already
present, it requires user intervention to remove it. Examples of such events are DNS queries
generated by a ransomware DGA engine, or malwares trying to connect with a C2 server.
All network packets resulting in critical events will be automatically dropped to mitigate further
infection to the network. The event includes the source and destination IP addresses of the
offending packets, which allows for prompt identification of the infected computer on the
network. The user will be required to remove the malware from the infected computer using a
suitable removal tool.
All events can be viewed using the monitor application included with the appliances. Optionally,
emails containing the event count and severity can be automatically generated and sent out. A
mobile phone application is also available that allows the user to monitor events in real time.
9.3 Source and Destination IP Addresses
Each rule event includes the source and destination IP addresses of the packet that generated
the rule hit. Logging these IP addresses allows for a more detailed examination of the source of
the threat. The Internet offers many “WhoIs” services where an IP address can be entered for
analysis. This information also includes geographical information regarding an IP address.