CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Child pages
  • Analysis Pipeline: Filtering Naïve Scans
Skip to end of metadata
Go to start of metadata

Scanning-related network traffic is pervasive in most networks. While some scans may precede adverse events, for many analyses, scan traffic just adds noise and causes false positives. You can use simple filters and evaluations to create lists of scanners and conduct some of the more naïve scans. Then, you can use these lists to filter scan traffic from other analyses.

Single-Packet Scanners

This filter and evaluation will create a list of IP addresses that are sending single-packet flows to a large number of unique destinations in a short time period. IP addresses will stay in the list for 10 minutes after they terminate scanning.

FILTER potentialScanFlows

    PACKETS == 1

END FILTER

EVALUATION scanners

    FILTER potentialScanFlows

    FOREACH SIP

        CHECK THRESHOLD

            DISTINCT DIP > 100

            TIME_WINDOW 5 MINUTES

        END CHECK

    OUTPUT_TIMEOUT 10 MINUTES

    OUTPUT LIST SIP scannerList_SinglePacket

    DO NOT ALERT

    CLEAR ALWAYS

END EVALUATION

 

To create an IP set of these addresses, use a list configuration set to overwrite a seeded set file. The initial set file can be an empty set or a set of already-known scanners.

LIST CONFIGURATION scannerList_SinglePacket

    SEVERITY 5

    SEED “scannerList_SinglePacket.set”

    OVERWRITE ON UPDATE

    UPDATE 5 MINUTES

END LIST CONFIGURATION

 

You can use the list to remove scan-related flows in other filters through the ANY IP NOT_IN_LIST command:

    ANY IP NOT_IN_LIST scannerList_SinglePacket

TCP SYN Scanners

This filter and evaluation will create a list of IP addresses that are engaging in TCP SYN scans, where the only flag sent in a flow is the SYN flag (no acknowledgement). This will capture scans where the initial SYN is sent more than once but no other packets occur—a common scenario missed when looking only for single-packet scanners. IP addresses will stay in the list for 10 minutes after they terminate scanning.

FILTER tcpSynScan

    PROTOCOL == 6

    FLAGS == S

END FILTER

EVALUATION tcpSynScanEval

    FILTER tcpSynScan

    FOREACH SIP

        CHECK THRESHOLD

            RECORD COUNT > 100

            TIME_WINDOW 5 MINUTES

        END CHECK

    SEVERITY 2

    OUTPUT_TIMEOUT 10 MINUTES

    OUTPUT LIST SIP scannerList_tcpSynScan

    CLEAR ALWAYS

    DO NOT ALERT

END EVALUATION

 

To create an IP set of these addresses, use a list configuration set to overwrite a seeded set file. The initial set file can be an empty set or a set of already-known scanners.

LIST CONFIGURATION scannerList_tcpSynScan

    SEVERITY 5

    SEED “scannerList_tcpSynScan.set”

    OVERWRITE ON UPDATE

    UPDATE 5 MINUTES

END LIST CONFIGURATION

 

You can use the list to remove scan-related flows in other filters through the ANY IP NOT_IN_LIST command:

    ANY IP NOT_IN_LIST scannerList_tcpSynScan

TCP ACK Scanners

This filter and evaluation will create a list of IP addresses that are engaging in TCP ACK scans, where the only flag sent in a flow is the ACK flag (no synchronize). This will capture scans where an initial acknowledgement packet is sent more than once but no other packets occur—a common scenario missed when looking only for single-packet scanners. IP addresses will stay in the list for 10 minutes after they terminate scanning.

FILTER tcpAckScan

    PROTOCOL == 6

    FLAGS == A

END FILTER

EVALUATION tcpAckScanEval

    FILTER tcpAckScan

    FOREACH SIP

        CHECK THRESHOLD

            RECORD COUNT > 100

            TIME_WINDOW 5 MINUTES

        END CHECK

    SEVERITY 2

    OUTPUT_TIMEOUT 10 MINUTES

    OUTPUT LIST SIP scannerList_tcpAckScan

    CLEAR ALWAYS

    DO NOT ALERT

END EVALUATION

 

To create an IP set of these addresses, use a list configuration set to overwrite a seeded set file. The initial set file can be an empty set or a set of already-known scanners.

LIST CONFIGURATION scannerList_tcpAckScan

    SEVERITY 5

    SEED “scannerList_tcpAckScan.set”

    OVERWRITE ON UPDATE

    UPDATE 5 MINUTES

END LIST CONFIGURATION

 

You can use the list to remove scan-related flows in other filters through the ANY IP NOT_IN_LIST command:

    ANY IP NOT_IN_LIST scannerList_tcpAckScan

 

  • No labels