I want to create a rule to detect an internal port scan where ONE source IP has communicated with ONE unique destination IP over 10 unique ports (excluding some common ports) over a period of 5 minutes. I've got most of the rule built out and working fine however I'm having issues defining the 'One Unique Destination IP'. My filter is basically: Context (In) [Internal to internal], Source IP (Not In) [List of Internal Scanners and other devices we don't want to alert on], Destination Port (not in) [Common Ports we don't want to alert on] ADVANCED OPTIONS: Distinct Values: [Number_of_Destination_Ports] = Threshold 10 | Monitored Fields: [Destination Port]
Destination IP (Not in) [0.0.0.0] ADVANCED OPTIONS: Distinct Values: [Number_of_Destinations] = Threshold 1 | Monitored fields: Destination IP
The problem that I'm having here is in the [Number_of_Destinations] = Threshold 1... its basically saying at least 1 destination IP when in fact I need it to be one unique destination IP
Any help would be greatly appreciated!
You can try nested/refer rule feature with sequencing. So, you would need two separate rules. First, create a rule that detects unique ports. then create a rule with AND gate and that refers previously created rule as sequence 1 and create a new condition that looks for unique IPs as sequence 2. Here is an example of something similar...