Sentinel fwlogs info


I’ve enabled Sentinel with minipots. It shows, on my repo, a lots of incidents and the graph only display if it’s a stmp or fwlogs case:

Is there a way to know more about what type of incident those fwlogs cases means?

Fwlogs is basically port scanning attempt

Yeah, but I would like to know more details, like switch port or what payload it’s using…

The Sentinel View database is as simple as possible due to performance reasons. We save there only fully recognized port scans. There is also an analytic database that we use for generating security reports. This database contains information about specific Internet ports but is much larger and slower. Thus we use it only by batch (noninteractive) queries, it isn’t suitable for interactive work. Information about switch ports isn’t available at all - and cannot be available, because only potential attacks via WAN are detected.