security

UniFi IDS/IPS Explained: What Those Alerts Actually Mean

Demystifying UniFi's intrusion detection system and how to respond to common alerts.

TM

Tony Martinez

#ids #ips #security #threats

UniFi’s built-in Intrusion Detection and Prevention System (IDS/IPS) is a powerful feature, but the alerts it generates can be confusing. Let’s break down what these alerts mean and how to respond appropriately.

Understanding Severity Levels

UniFi categorizes alerts into severity levels:

  • Critical: Immediate action required - active attacks or confirmed compromises
  • High: Serious threats that need prompt investigation
  • Medium: Suspicious activity worth reviewing
  • Low: Informational events, often false positives

Common Alert Categories

ET (Emerging Threats) Rules

The most common alerts you’ll see start with “ET” - these come from the Emerging Threats ruleset:

  • ET SCAN: Port scanning or reconnaissance activity
  • ET TROJAN: Known malware command-and-control traffic
  • ET POLICY: Policy violations (not necessarily malicious)
  • ET WEB_SERVER: Attacks targeting web servers

How to Investigate

When you receive an IDS alert in Sentinel Nerd:

  1. Check the source and destination IPs - is this internal or external traffic?
  2. Review the full packet data - what was the actual payload?
  3. Look for patterns - is this a one-time event or repeated?
  4. Check threat intelligence - is the IP known malicious?

Sentinel Nerd enriches every alert with threat intelligence from AbuseIPDB and VirusTotal, making investigation faster.

Reducing False Positives

Some alerts are triggered by legitimate traffic. Common causes:

  • Security scanners (Nessus, Qualys) running vulnerability assessments
  • Penetration testing tools
  • Certain gaming or streaming traffic
  • VPN connections

You can create suppression rules in Sentinel Nerd to filter out known-good traffic while keeping your security posture strong.

Taking Action

With Sentinel Nerd’s Active Response feature, you can automatically:

  • Block malicious IPs at the firewall
  • Quarantine infected devices to a restricted VLAN
  • Disable compromised user credentials
  • Send alerts to your security team

Configure response actions in Settings > Active Response to automate your incident response workflow.

Share this article

Related Articles

Ready to secure your UniFi network?

Start your free 14-day trial today. No credit card required.

Start Free Trial