From dictionary attacks to compromised host

This example demonstrates how an attack can spread through your network. You'll learn how to track a host that becomes compromised and then turns into the source of subsequent attacks.

Start by selecting the SSHDICT (SSH dictionary attacks) detection method.

Apply the source IP as a filter to the graph, similar to the first example. The graph clearly shows that this IP address has performed a substantial amount of scanning.

To determine which hosts have been affected, expand the filter by clicking the arrow in the corner, then click Show events.

The system displays a list of events with the applied filter (SSHDICT and your selected source IP address). Click an IP address in the Targets column to check whether these targets have initiated suspicious activity themselves. Such behavior could indicate successful dictionary attacks and compromised target hosts.

If you see no events, it's because the SSHDICT filter is still applied. Remove it by clicking the red cross.

With 34 pages of events now visible, direct analysis becomes impractical. Use the high-level graph view for more efficient analysis.

Return to the Dashboard by expanding the filter and clicking Show dashboard.

The Dashboard presents all events in an interactive visual format. Notice the suspicious events and numerous direct internet communication (DIRINET) entries.

Uncheck DIRINET to focus on other events. The green DICTATTACK event in the morning appears particularly suspicious. You can uncheck other detection methods to focus on this one.

Apply the source IP address as a filter to the Events table to examine specific activities from this host.

After applying a DICTATTACK filter and the source IP address, we can see one event of an attack with all the details. It is clear that the previous target of an attack has itself become the source of malicious activities.