How do I read BotHunters scan detection reports from within an Infection Profile?
Here is an example: 1. event=777:7777008 {3} {tcp} E8[bh] Detected intense malware port scanning of 2. (21 IPs 21 /24s) (# pkts S/M/O/I=2/19/2/0): 445:19 3. 0->0 (21:30:22.292 PDT) 4. 0->0 (21:31:40.101 PDT) 5. 0->0 (21:32:42.503 PDT) The above scan detection report was produced from BotHunter’s scan detection module (bhsd). Line 1: The bhSD gid=777, and sid=777008. The {3} indicates that these dialog events represent a consolidation of 3 bhSD alerts into one single event. {tcp} represents the scan protocol. The message indicates that this was an intense malware focused portscan, where “intense” is an indication of IP sweep intensity, and “malware” is a measure of port focus. That is, “malware” indicates that the port focus of this scan involved the set of commonly observed ports used by malware. Sweep intensity may be set to either “intense” or “moderate,” and port focus may be set to either “malware” or “non-malware.” Line 2: Indicates that there were 21 IP addresses scanned over 21
Related Questions
- How can I configure my system to log the raw packets that are associated with the infection profile that BotHunter generates?
- For recommendations on sypware detection and removal software, read What is free spyware removal software?.
- How do I read BotHunters scan detection reports from within an Infection Profile?