AnsweredAssumed Answered

How to make correlation for horizontal IP scan.

Question asked by David Bursik on Oct 2, 2013
Latest reply on Oct 4, 2013 by David Bursik

Hi everyone,

 

I would like to create correlation or something what can fire an alert when horizontal ip scan is in progress.

 

I have found that there is virus on one computer in our enviroment which tryes to acces computers in our network on IPs with incremental condition (xxx.xxx.xxx.1, xxx.xxx.xxx.2, xxx.xxx.xxx.3,...)

 

I tried to make correlation (inspired by IPv4 Vertical TCP Port Scan):

 

name="IPv4 Horizontal IP scan"

rule="tcp.dst exists"

thresh=u_count(tcp.dst)>10

key=ip.src,ip.dst

timewin="1 min" type=correlation

 

But there is some problem with tcp.dst in treshold.

 

Mabye I am totally wrong and it should be done by diferent way...

 

 

Can somebody help me please?

 

Thanks in advance

Outcomes