Snorby Report Sunday October 11 2015-06-33 PM Monday October 12 2015 06 33 PM
3
Snorby.org Snorby.org Date: Monday October, 2015 at 06:33 PM CDT Sunday, October 11, 2015 06:33 PM - Monday, October 12, 2015 06:33 PM Sensors Name Name Event Count Event Count snorby:NULL 20134 Event Count vs Time By Sensor snorby:NULL 18 19 20 21 22 23 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Hour of Day -1k 0k 1k 2k 3k 4k Event Count Severities High Severity (6149) High Severity (6149) Medium Severity (13277) Medium Severity (13277) Low Severity (708) Low Severity (708) Total Total 20134 Severity Count vs Time High Severity Medium Severity Low Severity 18 19 20 21 22 23 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Hour of Day -500 0 500 1,000 1,500 2,000 2,500 Severity Count
-
Upload
josemartinez -
Category
Documents
-
view
14 -
download
0
description
snorby
Transcript of Snorby Report Sunday October 11 2015-06-33 PM Monday October 12 2015 06 33 PM
Snorby.orgSnorby.orgDate: Monday October, 2015 at 06:33 PM CDT Sunday, October 11, 2015 06:33 PM - Monday, October 12, 2015 06:33 PM
SensorsNameName Event CountEvent Count
snorby:NULL 20134
Event Count vs Time By Sensor snorby:NULL
18 19 20 21 22 23 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Hour of Day
-1k
0k
1k
2k
3k
4k
Eve
nt C
ount
SeveritiesHigh Severity (6149)High Severity (6149) Medium Severity (13277)Medium Severity (13277) Low Severity (708)Low Severity (708) TotalTotal
20134
Severity Count vs Time High SeverityMedium SeverityLow Severity
18 19 20 21 22 23 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Hour of Day
-500
0
500
1,000
1,500
2,000
2,500
Sev
erity
Cou
nt
ProtocolsTCP CountTCP Count UDP CountUDP Count ICMP CountICMP Count TotalTotal
20134 0 0 20134
Protocol Count vs Time TCPUDPICMP
18 19 20 21 22 23 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Hour of Day
-1k
0k
1k
2k
3k
4k
Pro
toco
l Cou
nt
Top 15 SignaturesSignature NameSignature Name PercentagePercentage Event CountEvent Count
POLICY-OTHER Microsoft Windows Terminal Server no encryption s... 56.15% 11098
INDICATOR-SHELLCODE ssh CRC32 overflow filler 20.03% 3958
SERVER-OTHER Samsung TV denial of service attempt 3.11% 615
SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt 3.1% 612
SQL generic sql with comments injection attempt - GET parameter 3.04% 601
SERVER-MAIL SMTP relaying denied 2.86% 566
SERVER-WEBAPP awstats access 2.34% 462
SERVER-WEBAPP icat access 1.89% 374
POLICY-OTHER Remote non-JavaScript file found in script tag sr... 1.13% 224
SQL url ending in comment characters - possible sql injection ... 1.1% 218
SERVER-WEBAPP /doc/ access 0.99% 195
SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt 0.73% 145
SERVER-OTHER Microsoft Frontpage shtml.dll access 0.72% 143
SERVER-MYSQL failed Oracle Mysql login attempt 0.67% 132
OS-OTHER Bash CGI environment variable injection attempt 0.62% 122
INDICATOR-OBFUSCATION large number of calls to char function -... 0.53% 104
SQL generic convert injection attempt - GET parameter 0.26% 52
SQL declare varchar - possible SQL injection attempt 0.24% 48
SQL union select - possible sql injection attempt - GET parameter 0.24% 48
SQL generic sql update injection attempt - GET parameter 0.24% 48
Top 10 Source AddressesSource IP AddressSource IP Address PercentagePercentage Event CountEvent Count
185.93.187.10 50.8% 9218
125.211.217.34 21.0% 3810
195.154.177.67 11.52% 2091
185.93.187.58 2.29% 415
176.97.21.19 2.18% 395
192.64.55.136 1.63% 296
187.157.7.22 1.54% 280
198.11.175.42 1.39% 253
10.100.12.7 1.28% 233
10.100.12.13 1.02% 186
Top 10 Destination AddressesDestination IP AddressDestination IP Address PercentagePercentage Event CountEvent Count
10.100.11.112 48.14% 9385
10.100.11.107 20.33% 3964
10.100.11.39 13.98% 2726
10.100.11.111 8.79% 1713
10.100.11.24 3.33% 650
10.100.11.58 0.92% 180
10.100.11.31 0.74% 145
10.100.11.32 0.67% 130
104.216.9.189 0.57% 112
10.100.11.69 0.46% 90
