cancel
Showing results for 
Search instead for 
Did you mean: 
r_gine
Level 9
Report Inappropriate Content
Message 1 of 4

Correlation Rule: Internal Port Scan from One Unique Source IP to One Unique Destination IP

  I want to create a rule to detect an internal port scan where ONE source IP has communicated with ONE unique destination IP over 10 unique ports (excluding some common ports) over a period of 5 minutes. I've got most of the rule built out and working fine however I'm having issues defining the 'One Unique Destination IP'. My filter is basically: Context (In) [Internal to internal], Source IP (Not In) [List of Internal Scanners and other devices we don't want to alert on], Destination Port (not in) [Common Ports we don't want to alert on] ADVANCED OPTIONS: Distinct Values: [Number_of_Destination_Ports] = Threshold 10 | Monitored Fields: [Destination Port]


AND


Destination IP (Not in) [0.0.0.0] ADVANCED OPTIONS: Distinct Values: [Number_of_Destinations] = Threshold 1 | Monitored fields: Destination IP


The problem that I'm having here is in the [Number_of_Destinations] = Threshold 1... its basically saying at least 1 destination IP when in fact I need it to be one unique destination IP



Any help would be greatly appreciated!


Thanks

 

3 Replies

Re: Correlation Rule: Internal Port Scan from One Unique Source IP to One Unique Destination IP

You can try nested/refer rule feature with sequencing. So, you would need two separate rules. First, create a rule that detects unique ports. then create a rule with AND gate and that refers previously created rule as sequence 1 and create a new condition that looks for unique IPs as sequence 2. Here is an example of something similar...

CorrRule.png

Regards,

Syed Rizvi

r_gine
Level 9
Report Inappropriate Content
Message 3 of 4

Re: Correlation Rule: Internal Port Scan from One Unique Source IP to One Unique Destination IP

I still cant figure out how to look for a unique IP address

Highlighted

Re: Correlation Rule: Internal Port Scan from One Unique Source IP to One Unique Destination IP

Group the rule by Source IP & Destination IP?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community