Project

General

Profile

Actions

Feature #7928

open

rules: distinct counting logic

Added by Ofer Dagan 12 days ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Hello team,
I wish to introduce a new feature suggestion and after your approval and direction I would like to implement it.

We want to detect port scan in the network, however there are a lot of communications to the same port in a short time wich gives us false positives. An example rule that suffers from that:

alert tcp any any -> $HOME_NET any (
msg:"Vertical scan: >=10 TCP SYNs to one host in 60s";
flags:S; ack:0; flow:stateless;
detection_filter: track by_both, count 10, seconds 60;
classtype:attempted-recon; sid:1000001; rev:1;
)

I have some suggested solutions:
1. Having a new plugin that allows counting distict on some field (sql style). So the rule will now look something like that:

alert tcp any any -> $HOME_NET any (
msg:"Vertical scan: >=10 distinct dst ports in 60s";
flags:S; ack:0; flow:stateless;
distinct: field=dst_port, at_least=10, window=60, track=by_both;
classtype:attempted-recon; sid:100001; rev:1;
)

2. Add a new possible field to detection_filter, so the rule will look like this:

alert tcp any any -> $HOME_NET any (
msg:"Vertical scan: >=10 TCP SYNs to one host in 60s";
flags:S; ack:0; flow:stateless;
detection_filter: track by_both, count 10, seconds 60, unique_on dst_port;
classtype:attempted-recon; sid:1000001; rev:1;
)

Let me know what you think :)

No data to display

Actions

Also available in: Atom PDF