Port Scanning Detection

56kModem · May 24, 2024, 8:34pm

Has anyone been able to create a custom detection rule that will alert on an internal port scan? Not interested in external port scans on the perimeter firewall - just internal.

The Rapid7 Network Sensor is installed and working. Network Flow logs are being populated. We just haven’t figured out a way to detect a potential malicious device on our network performing a port scan.

Thanks

darragh_delaney2 · May 27, 2024, 10:54am

Hi 56kModem,
Sensors do not come with port scan detections, we have found that approach is very noisy (false positives) when traffic is used as a data source. Just so I understand correctly, what type of port scan detection are you looking for.

An alert when a device on a network is scanning for multiple hosts on a single port number, say TCP 445
An alert when a device on a network is scanning a single host on multiple port numbers. In this case it may be trying to find out what ports are open

Darragh

56kModem · May 28, 2024, 9:00pm

Hi Darragh,

Thanks for the reply.

#2 looks like what we are trying to accomplish.

david_smith · May 28, 2024, 9:20pm

In order to achieve this you would build a Custom Detection Rule, select the Network flow logs and perform a query such as this

where(source_address!=192.10.0.1)groupby(source_address)calculate(unique:destination_port)timeslice(10m)

Screenshot 2024-05-28 at 4.18.26 PM

If you set your time range to last 6 hours at least you can get a sense of what is “normal” in terms of unique destination ports per source address. You could also use source_asset but this may be unattributed and show as unknown.

Screenshot 2024-05-28 at 4.11.31 PM

Then you might need to either exclude certain assets or ports to reduce the noise.

Once your happy with the query you can click on the three dots next to the Run button in Log Search and hit Create Custom Detection Rule

Screenshot 2024-05-28 at 4.13.08 PM

From the new page it will have most of the necessary elements filled out, including your log selection, any query you entered and your groupby and unique counts

Screenshot 2024-05-28 at 4.14.17 PM

The most important piece is not filled out however, and that is the rule threshold logic. See here

Screenshot 2024-05-28 at 4.15.22 PM

In this example, the alert would fire if any source_address was observed in the Network flow logs with 101 unique destination ports in 10 minutes.

I hope this helps you build what you are looking for.

David

marten_cureton · May 30, 2024, 9:17am

I have done this before for port connections to external, i.e. Public IPs but you could very easily flip this to target only internal (Private IPs)

where(destination_address!=/.(127.0.0.|10.|172.1[6-9].|172.2[0-9].|172.3[0-1].|192.168.|192.0.)./ AND destination_port=/80|8080|4433/ AND direction=OUTBOUND)

56kModem · May 30, 2024, 9:34pm

Thank you both, David and Marten.

That looks like what we are after. I appreciate all the help!