Feature #7928
openrules: distinct counting logic
Description
Hello team,
I wish to introduce a new feature suggestion and after your approval and direction I would like to implement it.
We want to detect port scan in the network, however there are a lot of communications to the same port in a short time wich gives us false positives. An example rule that suffers from that:
alert tcp any any -> $HOME_NET any (
msg:"Vertical scan: >=10 TCP SYNs to one host in 60s";
flags:S; ack:0; flow:stateless;
detection_filter: track by_both, count 10, seconds 60;
classtype:attempted-recon; sid:1000001; rev:1;
)
I have some suggested solutions:
1. Having a new plugin that allows counting distict on some field (sql style). So the rule will now look something like that:
alert tcp any any -> $HOME_NET any (
msg:"Vertical scan: >=10 distinct dst ports in 60s";
flags:S; ack:0; flow:stateless;
distinct: field=dst_port, at_least=10, window=60, track=by_both;
classtype:attempted-recon; sid:100001; rev:1;
)
2. Add a new possible field to detection_filter
, so the rule will look like this:
alert tcp any any -> $HOME_NET any (
msg:"Vertical scan: >=10 TCP SYNs to one host in 60s";
flags:S; ack:0; flow:stateless;
detection_filter: track by_both, count 10, seconds 60, unique_on dst_port;
classtype:attempted-recon; sid:1000001; rev:1;
)
Let me know what you think :)
No data to display