rules/network/net_susp_network_scan.yml

title: Network Scans
description: Detects many failed connection attempts to different ports or hosts
author: Thomas Patzke
logsource:
    type: firewall
detection:
    selection:
        log: network
        action: denied
    timeframe: 24h
    condition:
        - selection | count(dst_port) > 10 by src_ip
        - selection | count(dst_ip) > 10 by src_ip
falsepositives:
    - Inventarization systems
    - Vulnerability scans
    - Penetration testing activity
level: medium
Added 'Network Scan' rule (#1 ) 2017-02-08 12:41:32 +01:00			`title: Network Scans`
			`description: Detects many failed connection attempts to different ports or hosts`
Sysmon rules 'logsource' change 2017-02-19 09:19:06 +01:00			`author: Thomas Patzke`
Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00			`logsource:`
			`type: firewall`
Added 'Network Scan' rule (#1 ) 2017-02-08 12:41:32 +01:00			`detection:`
			`selection:`
Rule review and cleanup 2017-02-15 23:53:08 +01:00			`log: network`
			`action: denied`
Removed 'last' keyword from 'timeframe' fields 2017-02-28 17:52:40 +01:00			`timeframe: 24h`
Added 'Network Scan' rule (#1 ) 2017-02-08 12:41:32 +01:00			`condition:`
			`- selection \| count(dst_port) > 10 by src_ip`
			`- selection \| count(dst_ip) > 10 by src_ip`
Rule review 2017-02-24 23:44:42 +01:00			`falsepositives:`
			`- Inventarization systems`
			`- Vulnerability scans`
			`- Penetration testing activity`
			`level: medium`