Potential SYN-Based Network Scan Detected
This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/17"
3integration = ["endpoint", "network_traffic"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/01/05"
8
9[rule]
10author = ["Elastic"]
11description = '''
12This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a
13target network for open ports by sending SYN packets to multiple ports and observing the response.
14Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation,
15allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its
16security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic
17to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.
18'''
19from = "now-9m"
20index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"]
21language = "kuery"
22license = "Elastic License v2"
23max_signals = 5
24name = "Potential SYN-Based Network Scan Detected"
25risk_score = 21
26rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409"
27severity = "low"
28tags = ["Domain: Network",
29 "Tactic: Discovery",
30 "Tactic: Reconnaissance",
31 "Use Case: Network Security Monitoring"
32 ]
33type = "threshold"
34timestamp_override = "event.ingested"
35
36query = '''
37destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
38'''
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42
43[[rule.threat.technique]]
44id = "T1046"
45name = "Network Service Discovery"
46reference = "https://attack.mitre.org/techniques/T1046/"
47
48[rule.threat.tactic]
49id = "TA0007"
50name = "Discovery"
51reference = "https://attack.mitre.org/tactics/TA0007/"
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55
56[[rule.threat.technique]]
57id = "T1595"
58name = "Active Scanning"
59reference = "https://attack.mitre.org/techniques/T1595/"
60
61[[rule.threat.technique.subtechnique]]
62id = "T1595.001"
63name = "Scanning IP Blocks"
64reference = "https://attack.mitre.org/techniques/T1595/001/"
65
66[rule.threat.tactic]
67id = "TA0043"
68name = "Reconnaissance"
69reference = "https://attack.mitre.org/tactics/TA0043/"
70
71[rule.threshold]
72field = ["destination.ip", "source.ip"]
73value = 1
74
75[[rule.threshold.cardinality]]
76field = "destination.port"
77value = 250
Related rules
- Potential Network Scan Detected
- Potential Network Sweep Detected
- Suspicious Network Tool Launched Inside A Container
- Unusual Discovery Signal Alert with Unusual Process Executable
- Attempt to Deactivate an Okta Network Zone