Alert References & Sentinel Alert Reference

Reference information for Sentinel-specific attack types and reputation-based rules and a reference page for attack types and reputation-based rules unique to the Sentinel and CINS community.

CINS Rogue Packet Activity &
DPAM Rogue Packet Activity

Rogue Packet Activity alerts utilize a proprietary security methodology that identifies and mitigates malicious packet activity. When a packet is identified as ‘rogue’, it is immediately dropped, and its source IP is no longer permitted to communicate with the Sentinel’s protected network.

Rogue packet data across the entire network of Sentinel devices is used in conjunction with other trusted Internet security sources to provide reputation-based protection through our CINS system.

CINS Active Threat Intelligence

We are constantly analyzing alert data from our Sentinel network, and from our research we’ve identified certain groups of IPs – based on our specific score factors – that are malicious enough to be blocked immediately. These reputation-based rulesets generated by our CINS system are continuously fed back out to our Sentinel network, giving each our our Sentinel customers bullet-proof protection from some of the baddest actors on the planet. That’s why we call it active threat intelligence.

CINS Known Malicious Host

Collective Intelligence Network Security (CINS) is an IP reputation database that leverages Rogue Packet data from our network of Sentinel IPS devices and reputation-based information from other trusted Internet security sources. We analyze all the CINS data, and networks that we identify as particularly malicious are flagged as CINS Known Malicious Hosts. This list of networks is regularly distributed back to all the Sentinel devices, providing another layer of reputation-based protection for each Sentinel.

DPAM Known Compromised or Hostile Host

Distributed Pre-emptive Attack Mitigation (DPAM) refers to the ability of the Sentinel IPS to block a network before it has a chance to attempt an attack or send malicious traffic. This methodology utilizes various Internet security sources to create a comprehensive reputation-based blacklist of known malicious hosts. This list is updated regularly and distributed to each Sentinel device.

This activity can be either inbound or outbound. Outbound activity may indicate a compromised machine on LAN of the protected network, and deserves review by a Network Administrator. The Sentinel will mark outbound alerts with an EPS badge.

EPS – Suspicious IP Address

A machine on the internal protected network is communicating with an IP address that is known to have been compromised.

EPS – High Priority Alerts

The alert level of this event is reserved for special EPS signatures that signify a potentially serious issue within the internal protected network. A machine on the internal network is sending packets to an external IP address that are consistent with malicious botnet or trojan traffic, and is likely compromised.

EPS (Extrusion Protection Sensor) signatures look for suspicious traffic originating from within your network, possibly from a computer on your LAN that might have been compromised by a botnet or trojan. These signatures are usually based on actual packet content or the reputation of the external IP address to which the internal machine is attempting to connect.