Couldn't crosspost from r/cybersecurity so this is a copy/paste from my original question
I've got Security Onion running on my network and sunday night I noticed that it had generated over 3.2 million suricata alerts between my NAS and vSphere servers: "GPL ATTACK_RESPONSE id check returned root", which is from my vSphere to the NAS, In addition, I have 3 alerts for "GoRAT Network Trojan Detected" from my NAS to my vSphere, and 3 alerts for "GPL SHELLCODE x86 0xEB0C NOOP" both from my NAS to my vSphere
During investigation, I learned our Vsphere backs up to the NAS in question which in my head makes sense, the vsphere accesses the NAS with root to run backups/save data to the drive and what not, but why the GoRAT and Shellcode alerts? I mean I understand they are attack alerts, I assume the shellcode activated because one of the memory instructions matched the alert rule, and for GoRAT a signature matched from the Github for the fireye stolen tools, but surely this is a false positive? We would see the same RAT alerts from the vSphere to a remote host right? All of the alerts happened around the same time so I figured it was a lot of false positives, and was hoping someone could check my thinking. Thanks.