Here we see the IDM event screen:
This packet triggered the alert. Observe the ipLog section:
This is dandy but I still don't know if I should be worried about this event. Since I've enabled IP Logging, the alert event triggered packet capture for a specified duration or packet count. This screen shows a number of logs and their corresponding event alert id's.
After I download the log relevant to the alert, it can be analyzed with software such as like Ethereal/Wireshark:
Now choose the packet which generated the alert and right-click "follow tcp stream". This screen depicts the full transcript of the conversation between victim & attacker:
The output shows this attempt did not succeed. Looks like some tuning is in order. BTW, this process is simpler/faster/easier with a system such as Sguil.
No comments:
Post a Comment