I have a CRE that is described as following:
Local UDP Scanner Detected
Detected a source IP address attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes.
When I open the event, there is only one destination IP and only one destination port.
What's wrong? Or what is it that I am not seeing here?-------Posted BY Leszek Adamiak
This topic has been locked.
Pinned topic UDP Reconnaissance - Event CRE to one IP and one port
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
SystemAdmin 110000D4XK184 Posts
Re: Are you looking at an offense2012-11-27T18:08:54ZThis is the accepted answer. This is the accepted answer.Are you looking at an offense generated by this rule or an event? If you are looking at the offense, are you looking at both flows and events that are associated to the offense?
Posted By scott.vanwart