• You are alerted that suspicious traffic emanating from iSCSI or storage VMkernel (VMK) networks have been found.
• You may initially understand from the alert that the suspicious traffic is being created by the ESXi host where the VMkernel assigned to that IP address resides. 

VMware ESXi 8.x

Although the IPS flags traffic as coming from a storage VMkernel IP, this is a false positive. The actual cause is one of the following:

• A Virtual Machine is generating spoofed or misleading traffic.
• Compromised or misconfigured VMs may send traffic using forged source IPs, including storage network addresses.
• IPS inspection on storage networks leads to misclassification.
• Storage protocols are not designed to be inspected by IPS/IDS tools, causing normal storage traffic to appear suspicious.

• Exclude storage VLANs from IPS/IDS inspection.
• Backend storage networks (iSCSI/NFS) should not be inspected by IPS tools due to protocol behavior and false positives.
• Investigate the Virtual Machine generating the flagged traffic.
• Review OS logs, running processes, outbound connections, and indicators of compromise.
• ESXi is not generating the traffic, and host-level artifacts will not provide additional insight.

• False positives on storage networks are common when IPS inspection is enabled.
• Spoofed traffic from a Virtual Machine is the most likely source of alerts.
• Ensuring proper VLAN segmentation and IPS exclusion policies can prevent recurrence.