Network Scans Count By Destination Port
Detects many failed connection attempts to different ports or hosts
Sigma rule (View on GitHub)
1title: Network Scans Count By Destination Port
2id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
3status: unsupported
4description: Detects many failed connection attempts to different ports or hosts
5author: Thomas Patzke
6date: 2017/02/19
7modified: 2023/03/24
8tags:
9 - attack.discovery
10 - attack.t1046
11logsource:
12 category: firewall
13detection:
14 selection:
15 action: denied
16 timeframe: 24h
17 condition: selection | count(dst_port) by src_ip > 10
18fields:
19 - src_ip
20 - dst_ip
21 - dst_port
22falsepositives:
23 - Inventarization systems
24 - Vulnerability scans
25level: medium
Related rules
- Network Scans Count By Destination IP
- Advanced IP Scanner - File Event
- MacOS Network Service Scanning
- Account Enumeration on AWS
- Enumeration via the Global Catalog