The volume of alerts within that timeframe isn't too exceptional, but still bears review. The first one is a little bit more high level than the second. The PROTOCOL-DNS alert was first discovered a few years back, and is tagged as CVE-2015-7547. Not specifically a major threat, but there was a known vulnerability found a few years ago that affected quite a number of Cisco devices. More information on that can be found here: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20160218-glibc.html. The second, INDICATOR-COMPROMISE, depends a little more if you happen to have a PCAP of traffic from that device. It could be nothing, could be indicator of something else, but if you can pull a full packet capture on it, that should give you a little more info of where it lies. In the meanwhile doesn't hurt to isolate that Android client until you get a closer look at it. Sidenote, but the above could depend on the tier you have your IDS/IPS settings at. Balanced is typically my SOP on deployment, I've found Security to trigger a number of false positives. Depending on any other issues on the network and how long its been since the last review, I always suggest to people to get a security audit completed, either through a VAR or a smaller firm.
... View more