Dňa 4. októbra 2024 18:39:20 UTC používateľ Johnnie W Adams via Exim-users <exim-users@???> napísal:
>The SIEM doesn't get that deep into the connection--it just gives
>source, destination, and port.
Thus IMO you have do it by self, eg. logging traffic in firewall or capturing
traffic to/from these ports. Capturing traffic can be more easy and no
problem in your case (low traffic server), tcpdump can be your friend. Then
you can compare...
I have no experiences with SIEM, but anyway, i would try to ask more
details from them. They are responsible what they reports and should
to provide evidence about incidents. No reason to hesitate ;-)
BTW, i asked more details about simmilar reports from shadowserver
some (long) time ago, and by that ask they found bug in their code --
mistake happens...
regards
--
Slavko
https://www.slavino.sk/
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
