evIdsAlert: eventId=1287530989864443762 severity=high vendor=Cisco alarmTraits=2147483648
originator:
hostId: appName: sensorApp
appInstanceId: 665
signature: description=AD - External UDP Scanner id=13004 created=20061120 type=anomaly version=S262
subsigId: 1
sigDetails: Worm Attack
marsCategory: Info/Misc/Scanner
marsCategory: Probe/FromScanner
marsCategory: Propagate/Worm
interfaceGroup: VS1
vlan: 0
participants:
attacker:
addr: locality=PrivateNetworks 10.10.10.1
target:
addr: locality=Unknown 0.0.0.0
port: 137
actions:
deniedPacket: true
snmpTrapRequested: true
deniedAttackerVictimPair: true
alertDetails: . adExtraData: numDestIps=5; currentThreshold=5; destPort=137 ;
riskRatingValue: targetValueRating=medium 100
threatRatingValue: 60
interface: ge0_7
protocol: udp
From the logs shown above is it possible to find out how many udp packets were sent from private network 10.10.10.1 to 0.0.0.0.?
What is the threshold that triggers the deny actions and how can i modify it?
Thank you very much