How do I read BotHunters scan detection reports from within an Infection Profile?

0
Posted

How do I read BotHunters scan detection reports from within an Infection Profile?

0

Here is an example: 1. event=777:7777008 {3} {tcp} E8[bh] Detected intense malware port scanning of 2. (21 IPs 21 /24s) (# pkts S/M/O/I=2/19/2/0): 445:19 3. 0->0 (21:30:22.292 PDT) 4. 0->0 (21:31:40.101 PDT) 5. 0->0 (21:32:42.503 PDT) The above scan detection report was produced from BotHunter’s scan detection module (bhsd). Line 1: The bhSD gid=777, and sid=777008. The {3} indicates that these dialog events represent a consolidation of 3 bhSD alerts into one single event. {tcp} represents the scan protocol. The message indicates that this was an intense malware focused portscan, where “intense” is an indication of IP sweep intensity, and “malware” is a measure of port focus. That is, “malware” indicates that the port focus of this scan involved the set of commonly observed ports used by malware. Sweep intensity may be set to either “intense” or “moderate,” and port focus may be set to either “malware” or “non-malware.” Line 2: Indicates that there were 21 IP addresses scanned over 21

Related Questions