3 Replies Latest reply on Jul 14, 2016 1:11 AM by minsktractorworks

    Correlation Rule: Internal Port Scan from One Unique Source IP to One Unique Destination IP

    r_gine

        I want to create a rule to detect an internal port scan where ONE source IP has communicated with ONE unique destination IP over 10 unique ports (excluding some common ports) over a period of 5 minutes. I've got most of the rule built out and working fine however I'm having issues defining the 'One Unique Destination IP'. My filter is basically: Context (In) [Internal to internal], Source IP (Not In) [List of Internal Scanners and other devices we don't want to alert on], Destination Port (not in) [Common Ports we don't want to alert on] ADVANCED OPTIONS: Distinct Values: [Number_of_Destination_Ports] = Threshold 10 | Monitored Fields: [Destination Port]


      AND


      Destination IP (Not in) [0.0.0.0] ADVANCED OPTIONS: Distinct Values: [Number_of_Destinations] = Threshold 1 | Monitored fields: Destination IP


      The problem that I'm having here is in the [Number_of_Destinations] = Threshold 1... its basically saying at least 1 destination IP when in fact I need it to be one unique destination IP



      Any help would be greatly appreciated!


      Thanks