You can detect the intrusion and locate the attack source exactly with Sax as the following steps:
1. Run Sax2 and start detection.
2. View whether there is attack in your network with Dashboard.
a) If every event’s risk level in Analysis Event Overview is O, there is no attack in your network. Otherwise, there is.
b) If every number in the Event Curve is 0, there is no attack in your network. Otherwise, there is.
The following picture shows there is attack current in the network.
1. Choose the Events view.
2. Choose an event in “Item” sub-view, Sax2 will display the corresponding source IP address in the below sub-tab.
The following picture is the chosen event named “ICMP_Ping Unusual length” and the source IP 192.168.1.100 of the attack.