split global net_susp_network_scan.yml

rules/network/net_susp_network_scan_by_ip.yml

@@ -0,0 +1,26 @@
+title: Network Scans Count By Destination IP
+id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8
+status: experimental
+description: Detects many failed connection attempts to different ports or hosts
+author: Thomas Patzke
+date: 2017/02/19
+modified: 2020/08/27
+logsource:
+    category: firewall
+tags:
+    - attack.discovery
+    - attack.t1046
+detection:
+    selection:
+        action: denied
+    timeframe: 24h
+    condition: selection | count(dst_ip) by src_ip > 10
+falsepositives:
+    - Inventarization systems
+    - Vulnerability scans
+    - Penetration testing activity
+level: medium
+fields:
+    - src_ip
+    - dst_ip
+    - dst_port

rules/network/net_susp_network_scan_by_port.yml

@@ -1,35 +1,26 @@
-action: global
-title: Network Scans
+title: Network Scans Count By Destination Port
+id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
 status: experimental
 description: Detects many failed connection attempts to different ports or hosts
 author: Thomas Patzke
 date: 2017/02/19
-modified: 2020/08/27
+modified: 2021/09/21
 logsource:
     category: firewall
-fields:
-    - src_ip
-    - dst_ip
-    - dst_port
-falsepositives:
-    - Inventarization systems
-    - Vulnerability scans
-    - Penetration testing activity
-level: medium
 tags:
     - attack.discovery
     - attack.t1046
----
-id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
 detection:
     selection:
         action: denied
     timeframe: 24h
     condition: selection | count(dst_port) by src_ip > 10
----
-id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8
-detection:
-    selection:
-        action: denied
-    timeframe: 24h
-    condition: selection | count(dst_ip) by src_ip > 10
+falsepositives:
+    - Inventarization systems
+    - Vulnerability scans
+    - Penetration testing activity
+level: medium
+fields:
+    - src_ip
+    - dst_ip
+    - dst_port