The Vertical Scan Dashboard for Firewall Logs shows vertical scan activity conducted against any firewall class device on the Internet Perimeter. This set of dashlets will display the top 10 port probing/scanning activity over the last 24 hours, broken down into the following categories:
It looks at the inbound traffic and every hour it counts the number of unique ports for each source IP address it sees, then it displays them in a Timeline and a Summary format by IP address. In short, it shows which IP addresses are using the most ports to scan your network on an hourly basis. Basically a vertical scan, a single IP probing multiple ports.
It looks at the inbound traffic and every hour it counts the number of unique ports for each source IP address it sees, then it displays them in a Timeline and a Summary format by country. In short, a unique port count by country and displayed by country.
It looks at the inbound traffic and every hour it counts the number of unique IP addresses for each Source Country it sees, then it displays them in a Timeline and a Summary format by country. In short, it’s a count of unique IP addresses used to probe your network displayed by country.
It looks at the inbound traffic and every hour it finds the distinct ports and counts how many times they are denied. Then it displays them in a Timeline and a Summary format as shown below. In short, it shows the top ten ports that are being probed and denied.
You must have the items listed below installed and configured for this dashboard to work properly.
Versions Prior to 10.5 will not have the “distinct” and “countdistinct” available in the Report Engine.
Directions for installation and configuration of this parser are located in the link below:
https://community.rsa.com/docs/DOC-44948
If you already have a parser that defines Internet source IP addresses, you can modify the rules and swap out the “netname='other src'” with your metakey and value.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.