2013-10-02 10:00 AM
Hi everyone,
I would like to create correlation or something what can fire an alert when horizontal ip scan is in progress.
I have found that there is virus on one computer in our enviroment which tryes to acces computers in our network on IPs with incremental condition (xxx.xxx.xxx.1, xxx.xxx.xxx.2, xxx.xxx.xxx.3,...)
I tried to make correlation (inspired by IPv4 Vertical TCP Port Scan):
name="IPv4 Horizontal IP scan"
rule="tcp.dst exists"
thresh=u_count(tcp.dst)>10
key=ip.src,ip.dst
timewin="1 min" type=correlation
But there is some problem with tcp.dst in treshold.
Mabye I am totally wrong and it should be done by diferent way...
Can somebody help me please?
Thanks in advance
2013-10-03 05:16 AM
Hi, DavidB12
"A horizontal scan is described as scan against a group of IPs for a single port."
So if you agree with that logic, the correlation would be like this:
rule=ip.dst exists && tcp.dstport exists
thresh=u_count(ip.dst)>10
key=ip.src,tcp.dstport
Here I count unique destination ip's for every pair of source ip+port. So if anyone is checking for an open port/trying to connect on many hosts from a single host it should fire.
2013-10-03 05:16 AM
Hi, DavidB12
"A horizontal scan is described as scan against a group of IPs for a single port."
So if you agree with that logic, the correlation would be like this:
rule=ip.dst exists && tcp.dstport exists
thresh=u_count(ip.dst)>10
key=ip.src,tcp.dstport
Here I count unique destination ip's for every pair of source ip+port. So if anyone is checking for an open port/trying to connect on many hosts from a single host it should fire.
2013-10-04 07:02 AM
Hi n1k,
thank you for your help. Problem have been realy in me, when I try to use tcp.dst instead of ip.dst.
Thanks again and sorry for my noob mistake