SigmaHQ/rules/network/net_susp_network_scan.yml

title: Network Scans
id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
status: experimental
description: Detects many failed connection attempts to different ports or hosts
author: Thomas Patzke
date: 2017/02/19
modified: 2020/08/27
logsource:
    category: firewall
detection:
    selection:
        action: denied
    timeframe: 24h
    condition:
        - selection | count(dst_port) by src_ip > 10
        - selection | count(dst_ip) by src_ip > 10
fields:
    - src_ip
    - dst_ip
    - dst_port
falsepositives:
    - Inventarization systems
    - Vulnerability scans
    - Penetration testing activity
level: medium
tags:
    - attack.discovery
    - attack.t1046
Added 'Network Scan' rule (#1) * Added possibility for multiple OR-linked conditions 2017-02-08 11:41:32 +00:00			`title: Network Scans`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: fab0ddf0-b8a9-4d70-91ce-a20547209afb`
Second round 2020-09-15 13:02:30 +00:00			`status: experimental`
Added 'Network Scan' rule (#1) * Added possibility for multiple OR-linked conditions 2017-02-08 11:41:32 +00:00			`description: Detects many failed connection attempts to different ports or hosts`
Sysmon rules 'logsource' change 2017-02-19 08:19:06 +00:00			`author: Thomas Patzke`
fix: fixed missing date fields in other files 2020-01-30 14:32:39 +00:00			`date: 2017/02/19`
att&ck tags review: windows/process_creation part 1, network 2020-08-27 17:43:47 +00:00			`modified: 2020/08/27`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`logsource:`
Fixed rules * Replaced unspecified logsource attribute 'type' with 'category' * Usage of service 'auth' for linux logs 2017-09-10 22:35:52 +00:00			`category: firewall`
Added 'Network Scan' rule (#1) * Added possibility for multiple OR-linked conditions 2017-02-08 11:41:32 +00:00			`detection:`
			`selection:`
Rule review and cleanup * removed unnecessary one element lists from definitions * converted some lists of one element maps to maps because the resulting OR linkage would cause wrong result. 2017-02-15 22:53:08 +00:00			`action: denied`
Removed 'last' keyword from 'timeframe' fields 2017-02-28 16:52:40 +00:00			`timeframe: 24h`
Added 'Network Scan' rule (#1) * Added possibility for multiple OR-linked conditions 2017-02-08 11:41:32 +00:00			`condition:`
Fixed further parse error 2017-08-02 21:32:00 +00:00			`- selection \| count(dst_port) by src_ip > 10`
			`- selection \| count(dst_ip) by src_ip > 10`
Added field names to first rules 2017-09-12 21:54:04 +00:00			`fields:`
			`- src_ip`
			`- dst_ip`
			`- dst_port`
Rule review * Typos * Added false positive descriptions 2017-02-24 22:44:42 +00:00			`falsepositives:`
			`- Inventarization systems`
			`- Vulnerability scans`
			`- Penetration testing activity`
			`level: medium`
Second round 2020-09-15 13:02:30 +00:00			`tags:`
			`- attack.discovery`
			`- attack.t1046`