2021-08-29 09:03:50 +02:00
|
|
|
action: global
|
2017-02-08 12:41:32 +01:00
|
|
|
title: Network Scans
|
2020-09-15 07:02:30 -06:00
|
|
|
status: experimental
|
2017-02-08 12:41:32 +01:00
|
|
|
description: Detects many failed connection attempts to different ports or hosts
|
2017-02-19 09:19:06 +01:00
|
|
|
author: Thomas Patzke
|
2020-01-30 15:32:39 +01:00
|
|
|
date: 2017/02/19
|
2020-08-27 20:43:47 +03:00
|
|
|
modified: 2020/08/27
|
2017-02-19 00:31:59 +01:00
|
|
|
logsource:
|
2017-09-11 00:35:52 +02:00
|
|
|
category: firewall
|
2017-09-12 23:54:04 +02:00
|
|
|
fields:
|
|
|
|
|
- src_ip
|
|
|
|
|
- dst_ip
|
|
|
|
|
- dst_port
|
2017-02-24 23:44:42 +01:00
|
|
|
falsepositives:
|
|
|
|
|
- Inventarization systems
|
|
|
|
|
- Vulnerability scans
|
|
|
|
|
- Penetration testing activity
|
|
|
|
|
level: medium
|
2020-09-15 07:02:30 -06:00
|
|
|
tags:
|
|
|
|
|
- attack.discovery
|
2021-08-29 09:03:50 +02:00
|
|
|
- attack.t1046
|
|
|
|
|
---
|
2021-09-02 20:07:03 +02:00
|
|
|
id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
|
2021-08-29 09:03:50 +02:00
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
action: denied
|
|
|
|
|
timeframe: 24h
|
|
|
|
|
condition: selection | count(dst_port) by src_ip > 10
|
|
|
|
|
---
|
2021-09-02 20:07:03 +02:00
|
|
|
id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8
|
2021-08-29 09:03:50 +02:00
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
action: denied
|
|
|
|
|
timeframe: 24h
|
|
|
|
|
condition: selection | count(dst_ip) by src_ip > 10
|
