From 00f3055035d0a6ca6d41fbba4a4e7ccd48c0d8ee Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Tue, 21 Sep 2021 19:47:28 +0200
Subject: [PATCH] split global net_susp_network_scan.yml

---
 rules/network/net_susp_network_scan_by_ip.yml | 26 +++++++++++++++
 ....yml => net_susp_network_scan_by_port.yml} | 33 +++++++------------
 2 files changed, 38 insertions(+), 21 deletions(-)
 create mode 100644 rules/network/net_susp_network_scan_by_ip.yml
 rename rules/network/{net_susp_network_scan.yml => net_susp_network_scan_by_port.yml} (69%)

diff --git a/rules/network/net_susp_network_scan_by_ip.yml b/rules/network/net_susp_network_scan_by_ip.yml
new file mode 100644
index 000000000..518b5d685
--- /dev/null
+++ b/rules/network/net_susp_network_scan_by_ip.yml
@@ -0,0 +1,26 @@
+title: Network Scans Count By Destination IP
+id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8
+status: experimental
+description: Detects many failed connection attempts to different ports or hosts
+author: Thomas Patzke
+date: 2017/02/19
+modified: 2020/08/27
+logsource:
+    category: firewall
+tags:
+    - attack.discovery
+    - attack.t1046
+detection:
+    selection:
+        action: denied
+    timeframe: 24h
+    condition: selection | count(dst_ip) by src_ip > 10
+falsepositives:
+    - Inventarization systems
+    - Vulnerability scans
+    - Penetration testing activity
+level: medium
+fields:
+    - src_ip
+    - dst_ip
+    - dst_port
\ No newline at end of file
diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan_by_port.yml
similarity index 69%
rename from rules/network/net_susp_network_scan.yml
rename to rules/network/net_susp_network_scan_by_port.yml
index a4032fdab..e3cc1f862 100644
--- a/rules/network/net_susp_network_scan.yml
+++ b/rules/network/net_susp_network_scan_by_port.yml
@@ -1,35 +1,26 @@
-action: global
-title: Network Scans
+title: Network Scans Count By Destination Port
+id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
 status: experimental
 description: Detects many failed connection attempts to different ports or hosts
 author: Thomas Patzke
 date: 2017/02/19
-modified: 2020/08/27
+modified: 2021/09/21
 logsource:
     category: firewall
-fields:
-    - src_ip
-    - dst_ip
-    - dst_port
-falsepositives:
-    - Inventarization systems
-    - Vulnerability scans
-    - Penetration testing activity
-level: medium
 tags:
     - attack.discovery
     - attack.t1046
----
-id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
 detection:
     selection:
         action: denied
     timeframe: 24h
     condition: selection | count(dst_port) by src_ip > 10
----
-id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8
-detection:
-    selection:
-        action: denied
-    timeframe: 24h
-    condition: selection | count(dst_ip) by src_ip > 10
\ No newline at end of file
+falsepositives:
+    - Inventarization systems
+    - Vulnerability scans
+    - Penetration testing activity
+level: medium
+fields:
+    - src_ip
+    - dst_ip
+    - dst_port
\ No newline at end of file