The difference between the # of detection of the attacks to 445 by dionaea and the # of detection by Suricata rules. #1467
muhtyo1102
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Dear, expert.
Now I am investigting the statistics of my T-POT and found something curious.
The "Attacks by Country and Port" diagram shows 34,567 detections. that is detected by dionaea.
But the suricata rule (ID: 2024766 "ET EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication") shows 63,466 detections.
The content of the suricata rules shows
[alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication";]
It means that the suricata rule catches all the inbound traffic to the 445 port.
And I understand that the dionaea catches all the inbound traffic to the 445 port as well.
So I can't understand that the # of detections of suricata and dionaea is different.
Does anyone know the resason why ?
Thank you so much,
Beta Was this translation helpful? Give feedback.
All reactions