Potential SYN-Based Network Scan Detected
This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/17"
3integration = ["endpoint", "network_traffic", "panw"]
4maturity = "production"
5updated_date = "2024/09/18"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a
11target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this
12method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch
13targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading
14to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts
15from one source host to 10 or more destination ports using 2 or less packets per port.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*", "logs-panw.panos*"]
19language = "kuery"
20license = "Elastic License v2"
21max_signals = 5
22name = "Potential SYN-Based Network Scan Detected"
23risk_score = 21
24rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409"
25severity = "low"
26tags = [
27 "Domain: Network",
28 "Tactic: Discovery",
29 "Tactic: Reconnaissance",
30 "Use Case: Network Security Monitoring",
31 "Data Source: Elastic Defend",
32 "Data Source: PAN-OS"
33]
34timestamp_override = "event.ingested"
35type = "threshold"
36
37query = '''
38destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1046"
46name = "Network Service Discovery"
47reference = "https://attack.mitre.org/techniques/T1046/"
48
49
50[rule.threat.tactic]
51id = "TA0007"
52name = "Discovery"
53reference = "https://attack.mitre.org/tactics/TA0007/"
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1595"
58name = "Active Scanning"
59reference = "https://attack.mitre.org/techniques/T1595/"
60[[rule.threat.technique.subtechnique]]
61id = "T1595.001"
62name = "Scanning IP Blocks"
63reference = "https://attack.mitre.org/techniques/T1595/001/"
64
65
66
67[rule.threat.tactic]
68id = "TA0043"
69name = "Reconnaissance"
70reference = "https://attack.mitre.org/tactics/TA0043/"
71
72[rule.threshold]
73field = ["destination.ip", "source.ip"]
74value = 1
75[[rule.threshold.cardinality]]
76field = "destination.port"
77value = 250
Related rules
- Potential Network Scan Detected
- Potential Network Sweep Detected
- Machine Learning Detected DGA activity using a known SUNBURST DNS domain
- Machine Learning Detected a DNS Request Predicted to be a DGA Domain
- Machine Learning Detected a DNS Request With a High DGA Probability Score