rules/network/net_susp_network_scan.yml

title: Network Scans
id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
description: Detects many failed connection attempts to different ports or hosts
author: Thomas Patzke
logsource:
    category: firewall
detection:
    selection:
        action: denied
    timeframe: 24h
    condition:
        - selection | count(dst_port) by src_ip > 10
        - selection | count(dst_ip) by src_ip > 10
fields:
    - src_ip
    - dst_ip
    - dst_port
falsepositives:
    - Inventarization systems
    - Vulnerability scans
    - Penetration testing activity
level: medium
Added 'Network Scan' rule (#1 ) 2017-02-08 12:41:32 +01:00			`title: Network Scans`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: fab0ddf0-b8a9-4d70-91ce-a20547209afb`
Added 'Network Scan' rule (#1 ) 2017-02-08 12:41:32 +01:00			`description: Detects many failed connection attempts to different ports or hosts`
Sysmon rules 'logsource' change 2017-02-19 09:19:06 +01:00			`author: Thomas Patzke`
Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00			`logsource:`
Fixed rules 2017-09-11 00:35:52 +02:00			`category: firewall`
Added 'Network Scan' rule (#1 ) 2017-02-08 12:41:32 +01:00			`detection:`
			`selection:`
Rule review and cleanup 2017-02-15 23:53:08 +01:00			`action: denied`
Removed 'last' keyword from 'timeframe' fields 2017-02-28 17:52:40 +01:00			`timeframe: 24h`
Added 'Network Scan' rule (#1 ) 2017-02-08 12:41:32 +01:00			`condition:`
Fixed further parse error 2017-08-02 23:32:00 +02:00			`- selection \| count(dst_port) by src_ip > 10`
			`- selection \| count(dst_ip) by src_ip > 10`
Added field names to first rules 2017-09-12 23:54:04 +02:00			`fields:`
			`- src_ip`
			`- dst_ip`
			`- dst_port`
Rule review 2017-02-24 23:44:42 +01:00			`falsepositives:`
			`- Inventarization systems`
			`- Vulnerability scans`
			`- Penetration testing activity`
			`level: medium`