Table of Contents
Advertisement
SourceIP = 10.0.0.3
EventName = Attempted_telnet
Severity = 5
3 Click Save. Highlight your filter and click Select.
4 Provide your time period of interest; click Search (Magnifying Glass icon). The result of your
query displays. If your Event Query makes a match, you will get a result similar to the
following illustration.
If you want to see how often in general this user is attempting a telnet, remove DestinationIP,
SensorType and Severity from your filter or create a new filter. The results will show all the
destinationIPs this user is attempting to telnet to.
If any of your events are correlated events, you can right-click > View Trigger Events to find
what events triggered that correlated event.
NOTE: Correlated events will have the SensorType column populated with a C.
More Information about Attacks
Another event of interest could be excessive FTP events. This can also be a remote connection,
allowing for transferring, copying and deleting of files.
Below is a short list of attacks of interest. Types of attacks are an extensive list. For more
information about network/host attacks, there are many resources available (that is, books and the
internet) that explain different types of attacks in detail.
SYN Flood
ICMP and UDP Flood
14.2 Creating Incidents
NOTE: To perform this function you must have user permission to create Incidents.
This is useful in grouping a set of events together as a whole representing something of interest
(group of similar events or set of different events that indicate a pattern of interest such as an attack).
310 Sentinel 6.1 User Guide
SensorType = H
DestinationIP = 10.0.0.4
Match if, select All conditions are met (and)
Packet Sniffing
Denial of Service
Smurf and Fraggle
Dictionary Attack
Advertisement
Table of Contents
