looking for scanners and other "bad" activity
Mike Tancsa
mike at sentex.ca
Thu Sep 9 10:14:22 EDT 2010
Hi,
I am hoping to use my argus data for some real time threat
analysis looking for hosts scanning inside my network either
individual hosts or ports on a host. In general, the questions I
want to answer are like
What external IP addresses have hit > n hosts on port y in less than x hrs
eg. what external IP addresses have hit port 3389 on more than 20
different IP addresses in the past 1hr
I could do some scripting to interpret the text output, but was
hoping there would be some combo of racluster and other argus tools
to help me answer that question.
---Mike
More information about the argus
mailing list