This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Horizontal scan port

ricardo-lisboa
New Contributor
New Contributor

‎2022-01-06 09:39 AM - edited ‎2022-01-06 09:44 AM 

 

Hi everyone,

Could someone help me solve a problem with a horizontal scan port rule I can't get it to work correctly when I trigger the rule garbage comes with no relevance.

I put the address because it is searching for ips outside the network the ideal would be only inside the network.

The rule must carry out this concept Horizontal scanning or network scanning sends requests to the same port on different hosts.

SELECT * FROM Event(


/* Statement: Condition */
(device_type.toLowerCase() NOT IN ( 'winevent_nic' ))
AND
/* Statement: IP_SRC */
(ip_src IS NOT NULL)
AND
/* Statement: IP_DST && PORT_DST_ALL */
(ip_dst IS NOT NULL AND port_dst_all IS NOT NULL)
AND
/* Statement: Direction side */
(isOneOfIgnoreCase(direction,{ 'side' }))
OR
/* Statement: Direction Internal */
(isNotOneOfIgnoreCase(direction,{ 'internal' }))

)
.std:groupwin(ip_src)
.win:time_length_batch(1 Minutes, 10)
GROUP BY ip_src
HAVING COUNT(*) >= 10;

 

Can somebody help me please?

 

Thanks in advance



 

Labels:
0 Likes
1 REPLY 1

cy_almonte
Contributor
Contributor

‎2022-01-06 06:29 PM

Hi,

For starters, consider adding port_dst_all (or whatever meta key for destination port your environment uses) to your groupwin / GROUP BY clause.

Right now, your rule (using the conditions that you have provided) will only trigger if:

  1. The event is from any source that is not "winevent_nic"
  2. The source and destination IP addresses and destination port exist in the events
  3. Regardless of letter casing:
    1. the value of the direction meta key for an event should be "side", otherwise
    2. the value of the direction meta key for an event should be any other value as long as it is not "internal"
  4. Within one minute, there must be ten events that match the conditions above that also have the same source IP address.

As you have mentioned, you want the rule to group events that have the same source IP address AND destination port. In contrast, your current rule is grouping the events with the same source IP address only.

If the rule is still not functioning to your liking, you should also revisit your other conditions.

You might also want to study the rule syntax of the Horizontal Port Scan rule that is available at RSA Live. If you want a custom horizontal port scan rule, the rule from RSA Live is a good reference to start with.

Additional reference (for writing advanced rules in the ESA):

ESA Rule Writing Best Practices - RSA Link - 568657

 

Hope this helps.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.