Potential SYN-Based Network Scan Detected

This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/05/17"
 3integration = ["endpoint", "network_traffic", "panw"]
 4maturity = "production"
 5updated_date = "2024/09/18"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a
11target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this
12method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch
13targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading
14to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts
15from one source host to 10 or more destination ports using 2 or less packets per port.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*", "logs-panw.panos*"]
19language = "kuery"
20license = "Elastic License v2"
21max_signals = 5
22name = "Potential SYN-Based Network Scan Detected"
23risk_score = 21
24rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409"
25severity = "low"
26tags = [
27    "Domain: Network",
28    "Tactic: Discovery",
29    "Tactic: Reconnaissance",
30    "Use Case: Network Security Monitoring",
31    "Data Source: Elastic Defend",
32    "Data Source: PAN-OS"
33]
34timestamp_override = "event.ingested"
35type = "threshold"
36
37query = '''
38destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1046"
46name = "Network Service Discovery"
47reference = "https://attack.mitre.org/techniques/T1046/"
48
49
50[rule.threat.tactic]
51id = "TA0007"
52name = "Discovery"
53reference = "https://attack.mitre.org/tactics/TA0007/"
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1595"
58name = "Active Scanning"
59reference = "https://attack.mitre.org/techniques/T1595/"
60[[rule.threat.technique.subtechnique]]
61id = "T1595.001"
62name = "Scanning IP Blocks"
63reference = "https://attack.mitre.org/techniques/T1595/001/"
64
65
66
67[rule.threat.tactic]
68id = "TA0043"
69name = "Reconnaissance"
70reference = "https://attack.mitre.org/tactics/TA0043/"
71
72[rule.threshold]
73field = ["destination.ip", "source.ip"]
74value = 1
75[[rule.threshold.cardinality]]
76field = "destination.port"
77value = 250

Related rules

to-top