cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 9
Report Inappropriate Content
Message 1 of 4

Correlation Rule: Internal Port Scan from One Unique Source IP to One Unique Destination IP

  I want to create a rule to detect an internal port scan where ONE source IP has communicated with ONE unique destination IP over 10 unique ports (excluding some common ports) over a period of 5 minutes. I've got most of the rule built out and working fine however I'm having issues defining the 'One Unique Destination IP'. My filter is basically: Context (In) [Internal to internal], Source IP (Not In) [List of Internal Scanners and other devices we don't want to alert on], Destination Port (not in) [Common Ports we don't want to alert on] ADVANCED OPTIONS: Distinct Values: [Number_of_Destination_Ports] = Threshold 10 | Monitored Fields: [Destination Port]


AND


Destination IP (Not in) [0.0.0.0] ADVANCED OPTIONS: Distinct Values: [Number_of_Destinations] = Threshold 1 | Monitored fields: Destination IP


The problem that I'm having here is in the [Number_of_Destinations] = Threshold 1... its basically saying at least 1 destination IP when in fact I need it to be one unique destination IP



Any help would be greatly appreciated!


Thanks

 

3 Replies
Highlighted

Re: Correlation Rule: Internal Port Scan from One Unique Source IP to One Unique Destination IP

You can try nested/refer rule feature with sequencing. So, you would need two separate rules. First, create a rule that detects unique ports. then create a rule with AND gate and that refers previously created rule as sequence 1 and create a new condition that looks for unique IPs as sequence 2. Here is an example of something similar...

CorrRule.png

Regards,

Syed Rizvi

Level 9
Report Inappropriate Content
Message 3 of 4

Re: Correlation Rule: Internal Port Scan from One Unique Source IP to One Unique Destination IP

I still cant figure out how to look for a unique IP address

Highlighted

Re: Correlation Rule: Internal Port Scan from One Unique Source IP to One Unique Destination IP

Group the rule by Source IP & Destination IP?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community