Network Scans Count By Destination IP

Apr 21, 2023 · attack.discovery attack.t1046 ·

Detects many failed connection attempts to different ports or hosts

Sigma rule (View on GitHub)

 1title: Network Scans Count By Destination IP
 2id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8
 3status: unsupported
 4description: Detects many failed connection attempts to different ports or hosts
 5author: Thomas Patzke
 6date: 2017/02/19
 7modified: 2023/03/24
 8tags:
 9    - attack.discovery
10    - attack.t1046
11logsource:
12    category: firewall
13detection:
14    selection:
15        action: denied
16    timeframe: 24h
17    condition: selection | count(dst_ip) by src_ip > 10
18fields:
19    - src_ip
20    - dst_ip
21    - dst_port
22falsepositives:
23    - Inventarization systems
24    - Vulnerability scans
25level: medium

Related rules

Network Scans Count By Destination Port
Account Enumeration on AWS
Enumeration via the Global Catalog
Potential Backup Enumeration on AWS
Potential Network Enumeration on AWS