INCIDENT:PORT-SCAN
Port scan incident
In this section we will configure the parameters of a Port Scan Incident.
The detection is enabled by default and an incident is raised when more than 6 correlated alerts are triggered, independently from their creation time.
For example, we can configure the parameters for the Port Scan Incident with the following
command, where we identify the minimum number of alerts for the incident to be triggered, and
the maximum time interval in milliseconds in which they need to occur:
conf.user configure alerts incidents portscan {"min_alerts": 25, "max_time_interval": 1500}
Configure the port scan incident
| Product | Guardian |
| Syntax | conf.user configure alerts incidents portscan <json_obj> |
| Description | Configure the port scan incident by providing the configuration in a JSON object. |
| Parameters | json_obj: JSON object containing the keys 'min_alerts' and
'max_time_interval', which are respectively the minimum number of alerts which
trigger the detection and the maximum time interval in which they need to
occur. |
| Where | CLI |
| To apply | In a shell console execute: service n2osalert stop
|