cancel
Showing results for 
Search instead for 
Did you mean: 
r_gine
Level 7
Report Inappropriate Content
Message 1 of 4

Correlation Rule: Internal Port Scan from One Unique Source IP to One Unique Destination IP

  I want to create a rule to detect an internal port scan where ONE source IP has communicated with ONE unique destination IP over 10 unique ports (excluding some common ports) over a period of 5 minutes. I've got most of the rule built out and working fine however I'm having issues defining the 'One Unique Destination IP'. My filter is basically: Context (In) [Internal to internal], Source IP (Not In) [List of Internal Scanners and other devices we don't want to alert on], Destination Port (not in) [Common Ports we don't want to alert on] ADVANCED OPTIONS: Distinct Values: [Number_of_Destination_Ports] = Threshold 10 | Monitored Fields: [Destination Port]


AND


Destination IP (Not in) [0.0.0.0] ADVANCED OPTIONS: Distinct Values: [Number_of_Destinations] = Threshold 1 | Monitored fields: Destination IP


The problem that I'm having here is in the [Number_of_Destinations] = Threshold 1... its basically saying at least 1 destination IP when in fact I need it to be one unique destination IP



Any help would be greatly appreciated!


Thanks

 

3 Replies

Re: Correlation Rule: Internal Port Scan from One Unique Source IP to One Unique Destination IP

You can try nested/refer rule feature with sequencing. So, you would need two separate rules. First, create a rule that detects unique ports. then create a rule with AND gate and that refers previously created rule as sequence 1 and create a new condition that looks for unique IPs as sequence 2. Here is an example of something similar...

CorrRule.png

Regards,

Syed Rizvi

r_gine
Level 7
Report Inappropriate Content
Message 3 of 4

Re: Correlation Rule: Internal Port Scan from One Unique Source IP to One Unique Destination IP

I still cant figure out how to look for a unique IP address

Re: Correlation Rule: Internal Port Scan from One Unique Source IP to One Unique Destination IP

Group the rule by Source IP & Destination IP?