Someone is Doing Horizontal Port scan on your network.
Category: Network
A horizontal port scan, also known as network scanning, is a type of port scan that sends requests to the same port on multiple hosts.
Critical
Alert Rule
title: Someone is Doing Horizontal Port scan on your network.
author: Admin
description:This alert indicates Network and port scanning from external IP addresses. It is described as scan against a group of IP's for a single port.
detection:
condition: selection | count distinct(destination.ip) by source.ip > 20
selection:
- source.locality: public
level: Critical
logsource:
category: firewall
product: ngfw
service: traffic
logtype: ngfw
timespan: 01m
Splunk Query to check Logs:
source="your_index_or_data_source"
source.locality="public"
| stats dc(destination.ip) AS distinct_destinations BY source.ip
| where distinct_destinations > 20
This alert indicates that someone is connected to 8000 to the external server.
High
Alert Rule
title: A User is connected to Port 8000 to the Internet.
author: Admin
description: Observed someone is connected to 8000 to the external server.
detection:
condition: selection and not filter
filter:
destination.ip:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
selection:
destination.port:
- 8000
level: high
logsource:
category: NBAD
logtype: nbad
Alert Data
destination.address : 104.47.11.113
destination.as.organization.name : MICROSOFT-CORP-MSN-AS-BLOCK
destination.bytes : 0
destination.geo.city name : Dublin
destination.geo.continent code : EU
destination.geo.country name : Ireland
destination.geo.location.lat : 53.3379
destination.geo.location.lon : -6.2591
destination.ip : 104.47.11.113
destination.locality : public
destination.port : 8000
event.category : network
event.dataset : naf
event.duration : 506877000
host.name : BHC-India
log.type : conn
network.bytes : 374
network.connection.id : 10.96.31.39:104.47.11.113:25:8000
network.connection.state_description : Source sent a SYN followed by a FIN, never saw a SYN ACK from the destination (ie: connection was half open)
network.direction : outbound
network.missed bytes : 0
network.transport : tcp
observer.type : nbad
source.bytes : 374
source.ip : 10.96.31.39
source.locality : private
source.port : 25
threatintel.lookup : neutral
Provide a Dismiss Comment
Dismissed Reason:
A Host is connecting with High-risk applications.
Category: Malicious Appliction
This alert indicates that the firewall device has identified the use of potentially high-risk applications within the enterprise environment, such as Torrent Clients (P2P). Please review the logs attached to this alert for further details.
Medium
Alert Rule
title: A Host is connecting with High-risk applications
author: Admin
description: The firewall device has identified the use of potentially high-risk applications within the enterprise environment, such as Torrent Clients (P2P). Please review the logs attached to this alert for further details.
detection:
condition: selection and not filter
filter:
network.application|contains:
- HTTP_and_HTTPS_proxy
selection:
network.application|contains:
- Torrent
- Proxy
- EXE File Download
- eMule P2P
- Ares P2P
level: high
logsource:
category: ngfw
product: sophos
logtype: ngfw
Provide a Dismiss Comment