This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to make correlation for horizontal IP scan.

Go to solution
Anonymous
Not applicable

‎2013-10-02 10:00 AM

Hi everyone,

 

I would like to create correlation or something what can fire an alert when horizontal ip scan is in progress.

 

I have found that there is virus on one computer in our enviroment which tryes to acces computers in our network on IPs with incremental condition (xxx.xxx.xxx.1, xxx.xxx.xxx.2, xxx.xxx.xxx.3,...)

 

I tried to make correlation (inspired by IPv4 Vertical TCP Port Scan):

 

name="IPv4 Horizontal IP scan"

rule="tcp.dst exists"

thresh=u_count(tcp.dst)>10

key=ip.src,ip.dst

timewin="1 min" type=correlation

 

But there is some problem with tcp.dst in treshold.

 

Mabye I am totally wrong and it should be done by diferent way...

 

 

Can somebody help me please?

 

Thanks in advance

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-10-03 05:16 AM

Hi, DavidB12

"A horizontal scan is described as scan against a group of IPs for a single port."

So if you agree with that logic, the correlation would be like this:

 

rule=ip.dst exists && tcp.dstport exists

thresh=u_count(ip.dst)>10

key=ip.src,tcp.dstport

 

Here I count unique destination ip's for every pair of source ip+port. So if anyone is checking for an open port/trying to connect on many hosts from a single host it should fire.

View solution in original post

0 Likes
2 REPLIES 2

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-10-03 05:16 AM

Hi, DavidB12

"A horizontal scan is described as scan against a group of IPs for a single port."

So if you agree with that logic, the correlation would be like this:

 

rule=ip.dst exists && tcp.dstport exists

thresh=u_count(ip.dst)>10

key=ip.src,tcp.dstport

 

Here I count unique destination ip's for every pair of source ip+port. So if anyone is checking for an open port/trying to connect on many hosts from a single host it should fire.

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2013-10-04 07:02 AM

Hi n1k,

thank you for your help. Problem have been realy in me, when I try to use tcp.dst instead of ip.dst.

 

Thanks again and sorry for my noob mistake

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.