One of my clients requested a rule to alert if anyone starts scanning on a particular TCP port from the outside. They collect logs from a number of perimeter devices and asked for a threshhold of 10 unique IPs being scanned by a single source.
I setup the rule to look at:
TCPTrafficAudit.DestinationPort= <application Port number>
AND
TCPTrafficAudit.Protocol=TCP
Correlation Time:
10 Events within 60 seconds
Response Window: 5 minutes
Advanced Threshhold:
TCPTrafficAudit.SourceMachine - Same
TCPTrafficAudit.DestinationMachine - Distinct
With so many people out there scanning network addresses often for popular applications I imagine this rule will probably be firing quite a bit. Is there anyway to make sure that it only fires once per (day/hour) for a single unique source IP? Would setting the Re-Infer (TOT) mean that all additional unique IPs that also scan for this port during the time be missed? IE first bad actor scans 10 unique IPs, alert fires. second bad actor scans 10 minutes later, alert should fire. If the Re-Infer (TOT) was set to 15 minutes would I miss the second instance?
Thank you for any tips, tricks, or feedback.