Leonard Chvilicek

Vertical Scan Dashboard for Firewall Logs

Blog Post created by Leonard Chvilicek Employee on Oct 12, 2016

Vertical Scan Dashboard for Firewall Logs

Overview

 

The Vertical Scan Dashboard for Firewall Logs shows vertical scan activity conducted against any firewall class device on the Internet Perimeter. This set of dashlets will display the top 10 port probing/scanning activity over the last 24 hours, broken down into the following categories:

  • Unique port count of individual IP addresses probing/scanning the network and displayed by IP address.
  • Unique port count of countries probing/scanning the network and displayed by country.
  • Unique IP address count of individual Countries probing/scanning the network and displayed by country.
  • Top 10 most denied destination ports, displayed by port.

 

The Dashlets

Top 10 Denied IP High Unique Port Count

It looks at the inbound traffic and every hour it counts the number of unique ports for each source IP address it sees, then it displays them in a Timeline and a Summary format by IP address.  In short, it shows which IP addresses are using the most ports to scan your network on an hourly basis.  Basically a vertical scan, a single IP probing multiple ports.

 

Top 10 Denied High Unique Port Count by Country

It looks at the inbound traffic and every hour it counts the number of unique ports for each source IP address it sees, then it displays them in a Timeline and a Summary format by country.  In short, a unique port count by country and displayed by country.

 

Top 10 Denied Countries by Unique IP Count

It looks at the inbound traffic and every hour it counts the number of unique IP addresses for each Source Country it sees, then it displays them in a Timeline and a Summary format by country.  In short, it’s a count of unique IP addresses used to probe your network displayed by country.

 

Top 10 Denied Destination Ports

It looks at the inbound traffic and every hour it finds the distinct ports and counts how many times they are denied.  Then it displays them in a Timeline and a Summary format as shown below.  In short, it shows the top ten ports that are being probed and denied.

Prerequisites

You must have the items listed below installed and configured for this dashboard to work properly.

Security Analytics/Netwitness

  • Versions 10.5 or higher
  • Log Decoder and Concentrator
  • Firewall Logs

Versions Prior to 10.5 will not have the “distinct” and “countdistinct” available in the Report Engine.

Lua Parser

  • Traffic Flow (RSA Live)
  • lua (RSA Live

 

Directions for installation and configuration of this parser are located in the link below:

https://community.rsa.com/docs/DOC-44948

 

If you already have a parser that defines Internet source IP addresses, you can modify the rules and swap out the “netname='other src'” with your metakey and value.

Outcomes