IDS Statistics generated on Sun Nov 27 08:20:XX 2005

The log begins at :Aug 28 07:09:18
The log ends at :Aug 29 09:08:02
Total of Lines in log file :58
Total of Logs Dropped :0 (0.00%)
Total events in table :58
Source IP recorded :7
Destination IP recorded :2
NIDS recorded :1 with 1 interface(s)
Signatures recorded :2
Classification recorded :2
Severity recorded :2
Portscan detected :0
Domains File : /tmp/domains
Number of domains : 267
Rules File : /tmp/rules
Number of referenced rules : 1351

Legend :
RED :Dangerous connections (potentially bad, further investigation needed!)
GREEN :Warning connections (strange, may need further intevestigation!)
BLACK :Not dangerous alert

General Statistics

  • The distribution of event by hour
  • The distribution of event by day
  • Popularity of one source host
  • Popularity of one destination host
  • The distribution of event by destination port
  • The distribution of event by protocols
  • The distribution of event type of log
  • Specific Statistics

  • Events from one host to any with same method
  • Events to one host from any with same method
  • Events from a host to a destination
  • Events to one destination port grouped by attack
  • Distribution of attack methods
  • Distribution of classification method
  • The distribution of event by severity
  • Events by hour

  • The distribution of event by protocols

    %NoProtocols
    81.0347 tcp
    18.9711 icmp

    The distribution of severity

    %NoSeverity
    81.0347 medium
    18.9711 low

    The distribution of attack by hour


    HourNo%Graph
    0h3 5.17
    4h2 3.XX
    5h1 1.72
    6h1 1.72
    7h2 3.XX
    8h1 1.72
    9h4 6.90
    10h1 1.72
    13h2 3.XX
    14h1 1.72
    15h6 10.34
    16h2 3.XX
    17h2 3.XX
    18h5 8.62
    19h3 5.17
    20h5 8.62
    XXXh6 10.34
    22h6 10.34
    23h5 8.62


    The distribution of event by day


    DayMonthNo%Graph
    288 46 79.31
    298 12 20.69


    Distribution of event by destination port

    %NoDestination Port
    18.9711 0
    6.904 1797
    5.173 1524
    5.173 1038
    5.173 1695
    3.XX2 1735
    3.XX2 1389
    3.XX2 1938
    3.XX2 1935
    3.XX2 1431
    3.XX2 1196
    1.721 1079
    1.721 1753
    1.721 OOO0
    1.721 1875
    1.721 1OOO
    1.721 1776
    1.721 1999
    1.721 1817
    1.721 OOO9
    1.721 1310
    1.721 1694
    1.721 1876
    1.721 OOO7
    1.721 1262
    1.721 1975
    1.721 1671
    1.721 1991
    1.721 1463
    1.721 10XX
    1.721 1OOO2
    1.721 1318
    1.721 1175

    To see the popularity of one source host

    %NoIP SourceResolveDomain
    81.0347 OOO.OOO.OOO.OOO localhost
    6.904 OOO.197.57.77 pl8XX.nas927.n-yokohama.nttpc.ne.jp Japan
    3.XX2 72.XXX.40.10 lists.centos.org Non-Profit
    3.XX2 66.35.250.12 getafix.vasoftware.com US Commercial
    1.721 59.106.33.172 esmtp3.stand.ne.jp Japan
    1.721 59.106.41.XX n2.59-106-41-XX.mixi.jp Japan
    1.721 59.106.33.174 esmtp5.stand.ne.jp Japan

    Percentage and number of attacks from one host to any with same method

    %NoIP SourceAttackSeverity
    81.0347 OOO.OOO.OOO.OOO BAD-TRAFFIC loopback traffic {tcp} medium
    6.904 OOO.197.57.77 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}low
    3.XX2 66.35.250.12 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}low
    3.XX2 72.XXX.40.10 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}low
    1.721 59.106.33.174 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}low
    1.721 59.106.41.XX ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}low
    1.721 59.106.33.172 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}low

    To see the popularity of one destination host

    %NoIP DestinationResolve
    81.0347 OOO.OOO.OOO.OOO insanity.as.wakwak.ne.jp
    18.9711 YYY.YYY.YYY.YYY lucretia.honto.info

    Percentage and number of attacks to one host from any with same method

    %NoIP DestinationAttackSeverity
    81.0347 OOO.OOO.OOO.OOO BAD-TRAFFIC loopback traffic {tcp} medium
    18.9711 YYY.YYY.YYY.YYY ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}low

    Percentage and number of attacks from a host to a destination

    %NoIP SourceIP DestinationAttack
    81.0347 OOO.OOO.OOO.OOO OOO.OOO.OOO.OOO BAD-TRAFFIC loopback traffic {tcp}
    6.904 OOO.197.57.77 YYY.YYY.YYY.YYY ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}
    3.XX2 72.XXX.40.10 YYY.YYY.YYY.YYY ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}
    3.XX2 66.35.250.12 YYY.YYY.YYY.YYY ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}
    1.721 59.106.33.172 YYY.YYY.YYY.YYY ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}
    1.721 59.106.33.174 YYY.YYY.YYY.YYY ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}
    1.721 59.106.41.XX YYY.YYY.YYY.YYY ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}

    The distribution of attack methods

    %NoAttackPrioritySeverity
    81.0347 BAD-TRAFFIC loopback traffic {tcp} 2medium
    18.9711 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}3low

    The distribution of classification method

    %NoClassificationSeverity
    81.0347 Potentially Bad Traffic medium
    18.9711 Misc activity low

    Percentage and number of attacks by hour

    %NoHourAttack
    10.346 22hBAD-TRAFFIC loopback traffic {tcp}
    10.346 15hBAD-TRAFFIC loopback traffic {tcp}
    8.625 23hBAD-TRAFFIC loopback traffic {tcp}
    8.625 XXXhBAD-TRAFFIC loopback traffic {tcp}
    6.904 18hBAD-TRAFFIC loopback traffic {tcp}
    6.904 20hBAD-TRAFFIC loopback traffic {tcp}
    5.173 0hBAD-TRAFFIC loopback traffic {tcp}
    3.XX2 9hBAD-TRAFFIC loopback traffic {tcp}
    3.XX2 7hICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}
    3.XX2 13hBAD-TRAFFIC loopback traffic {tcp}
    3.XX2 9hICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}
    3.XX2 17hBAD-TRAFFIC loopback traffic {tcp}
    3.XX2 19hBAD-TRAFFIC loopback traffic {tcp}
    3.XX2 4hBAD-TRAFFIC loopback traffic {tcp}
    1.721 20hICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}
    1.721 5hBAD-TRAFFIC loopback traffic {tcp}
    1.721 10hBAD-TRAFFIC loopback traffic {tcp}
    1.721 19hICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}
    1.721 16hBAD-TRAFFIC loopback traffic {tcp}
    1.721 16hICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}
    1.721 XXXhICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}
    1.721 6hICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}
    1.721 18hICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}
    1.721 14hBAD-TRAFFIC loopback traffic {tcp}
    1.721 8hICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}

    Percentage and number of attacks to one destination port

    %NoPortAttack
    18.9711 0 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited {icmp}
    6.904 1797 BAD-TRAFFIC loopback traffic {tcp}
    5.173 1524 BAD-TRAFFIC loopback traffic {tcp}
    5.173 1695 BAD-TRAFFIC loopback traffic {tcp}
    5.173 1038 BAD-TRAFFIC loopback traffic {tcp}
    3.XX2 1735 BAD-TRAFFIC loopback traffic {tcp}
    3.XX2 1389 BAD-TRAFFIC loopback traffic {tcp}
    3.XX2 1938 BAD-TRAFFIC loopback traffic {tcp}
    3.XX2 1431 BAD-TRAFFIC loopback traffic {tcp}
    3.XX2 1935 BAD-TRAFFIC loopback traffic {tcp}
    3.XX2 1196 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1310 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1991 BAD-TRAFFIC loopback traffic {tcp}
    1.721 OOO0 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1694 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1463 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1262 BAD-TRAFFIC loopback traffic {tcp}
    1.721 OOO7 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1318 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1875 BAD-TRAFFIC loopback traffic {tcp}
    1.721 OOO9 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1OOO2 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1999 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1876 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1817 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1975 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1671 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1079 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1753 BAD-TRAFFIC loopback traffic {tcp}
    1.721 1776 BAD-TRAFFIC loopback traffic {tcp}
    1.721 10XX BAD-TRAFFIC loopback traffic {tcp}
    1.721 1OOO BAD-TRAFFIC loopback traffic {tcp}
    1.721 1175 BAD-TRAFFIC loopback traffic {tcp}

    Number of occurrences by type of log

    %NoType
    100.0058 snort_signature

    Generated by SnortALog Version: 2.2.1 ( Date: 2004/04/30 17:19:00 )
    Jeremy CHARTIER