Hi, currently I am using t-shark to capture my log on my host and I would like to capture a port scan attack while I am doing my normal stuff on my host like surfing the net.
I plan to identify the attack by the amount of port being access per 30 sec. On top of that I would like to used if the number of source ip and destination ip equal to 172.20.180.27 and 172.20.180.12 packet appear to be the same amount or exceed a certain range, it would prompt an alert.
Is it workable?
If not, are there any Solution??
Assuming that you DON'T have these fields extracted already, we'll do that with rex
inline in the search;
sourcetype=XXX
| rex "^\d\d\d\d-\d\d-\d\d\s+\d\d:\d\d:\d\d\.\d{6}\s+(?<src_ip>\S+)\s+->\s+(?<dst_ip>\S+)\s+(?<proto>\w+)\s+(?<YYY>\d+)\s+(?<src_port>\d+)\s+>\s+(?<dst_port>\d+)\s+"
| search dst_ip=172.20.180.27
| timechart span=30s dc(dst_port) by src_ip
The rex
command should give you a new set of fields, called src_ip, dst_ip, proto, YYY, src_port
and dst_port
. What does the YYY number signify? Give it a nicer name if you want. Not used here anyway.
The search
after the rex
filters out the outbound traffic.
The timechart
command will give you a table with the distinct number of ports per source-IP in 30 second time slots.
Hope this helps,
Kristian
Assuming that you DON'T have these fields extracted already, we'll do that with rex
inline in the search;
sourcetype=XXX
| rex "^\d\d\d\d-\d\d-\d\d\s+\d\d:\d\d:\d\d\.\d{6}\s+(?<src_ip>\S+)\s+->\s+(?<dst_ip>\S+)\s+(?<proto>\w+)\s+(?<YYY>\d+)\s+(?<src_port>\d+)\s+>\s+(?<dst_port>\d+)\s+"
| search dst_ip=172.20.180.27
| timechart span=30s dc(dst_port) by src_ip
The rex
command should give you a new set of fields, called src_ip, dst_ip, proto, YYY, src_port
and dst_port
. What does the YYY number signify? Give it a nicer name if you want. Not used here anyway.
The search
after the rex
filters out the outbound traffic.
The timechart
command will give you a table with the distinct number of ports per source-IP in 30 second time slots.
Hope this helps,
Kristian
Sorry, I don't really understand that question.
With the qns above, if I were to detect a port scan, it's not possible as the number would exceed more high than port scan if I were to used internet, so, any solution??
Yes it does, a really big thank you.
Not sure I understand, but dc(dst_port)
will return the distinct count
, i.e. if the remote user connects 300 times to port 443 and 5 times to port 80, the distinct count is 2.
If you used c(dst_port)
instead (c
for count
), the number would be 305.
If you used values(dst_port)
the answer would be: 80, 443
Does this answer your question?
and if I wan to alert if there is an port scan by 172.20.180.12(attacker) but a refresh on a webpage can sometime shown more than attacker, so what can I do from here??
172.20.180.12 - attacker
172.20.180.27 - host
2013-05-13 13:53:17.987923 172.20.180.12 -> 172.20.180.27 TCP 58 55343 > http [SYN] Seq=0 Win=1024 Len=0 MSS=1460
2013-05-13 13:53:21.199414 172.20.180.12 -> 172.20.180.27 TCP 74 44959 > https [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=3518195 TSecr=0 WS=16
2013-05-13 13:53:21.199474 172.20.180.27 -> 172.20.180.12 TCP 74 https > 44959 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=1498581 TSecr=3518195
2013-05-13 13:53:21.199568 172.20.180.12 -> 172.20.180.27 TCP 66 44959 > https [ACK] Seq=1 Ack=1 Win=14608 Len=0 TSval=3518195 TSecr=1498581
please post a few sample events.