topic Search Command to identify a Port Scan attack in Splunk Search

Search Command to identify a Port Scan attack

Kai191 — Tue, 14 May 2013 06:42:11 GMT

Hi, currently I am using t-shark to capture my log on my host and I would like to capture a port scan attack while I am doing my normal stuff on my host like surfing the net.

I plan to identify the attack by the amount of port being access per 30 sec. On top of that I would like to used if the number of source ip and destination ip equal to 172.20.180.27 and 172.20.180.12 packet appear to be the same amount or exceed a certain range, it would prompt an alert.

Is it workable?
If not, are there any Solution??

Re: Search Command to identify a Port Scan attack

kristian_kolb — Tue, 14 May 2013 06:52:19 GMT

please post a few sample events.

Re: Search Command to identify a Port Scan attack

Kai191 — Tue, 14 May 2013 06:56:44 GMT

2013-05-13 13:53:17.987923 172.20.180.12 -> 172.20.180.27 TCP 58 55343 > http [SYN] Seq=0 Win=1024 Len=0 MSS=1460

2013-05-13 13:53:21.199414 172.20.180.12 -> 172.20.180.27 TCP 74 44959 > https [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=3518195 TSecr=0 WS=16

2013-05-13 13:53:21.199474 172.20.180.27 -> 172.20.180.12 TCP 74 https > 44959 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=1498581 TSecr=3518195

2013-05-13 13:53:21.199568 172.20.180.12 -> 172.20.180.27 TCP 66 44959 > https [ACK] Seq=1 Ack=1 Win=14608 Len=0 TSval=3518195 TSecr=1498581

Re: Search Command to identify a Port Scan attack

Kai191 — Tue, 14 May 2013 06:57:07 GMT

172.20.180.12 - attacker
172.20.180.27 - host

Re: Search Command to identify a Port Scan attack

kristian_kolb — Tue, 14 May 2013 07:44:15 GMT

Assuming that you DON'T have these fields extracted already, we'll do that with rex inline in the search;

sourcetype=XXX 
| rex "^\d\d\d\d-\d\d-\d\d\s+\d\d:\d\d:\d\d\.\d{6}\s+(?<src_ip>\S+)\s+->\s+(?<dst_ip>\S+)\s+(?<proto>\w+)\s+(?<YYY>\d+)\s+(?<src_port>\d+)\s+>\s+(?<dst_port>\d+)\s+"
| search dst_ip=172.20.180.27
| timechart span=30s dc(dst_port) by src_ip

The rex command should give you a new set of fields, called src_ip, dst_ip, proto, YYY, src_port and dst_port. What does the YYY number signify? Give it a nicer name if you want. Not used here anyway.

The search after the rex filters out the outbound traffic.

The timechart command will give you a table with the distinct number of ports per source-IP in 30 second time slots.

Hope this helps,

Kristian

Re: Search Command to identify a Port Scan attack

Kai191 — Tue, 14 May 2013 09:39:54 GMT

and if I wan to alert if there is an port scan by 172.20.180.12(attacker) but a refresh on a webpage can sometime shown more than attacker, so what can I do from here??

Re: Search Command to identify a Port Scan attack

kristian_kolb — Tue, 14 May 2013 17:46:19 GMT

Not sure I understand, but dc(dst_port) will return the distinct count, i.e. if the remote user connects 300 times to port 443 and 5 times to port 80, the distinct count is 2.

If you used c(dst_port) instead (c for count), the number would be 305.

If you used values(dst_port) the answer would be: 80, 443

Does this answer your question?

Re: Search Command to identify a Port Scan attack

Kai191 — Wed, 15 May 2013 06:01:39 GMT

Yes it does, a really big thank you.

Re: Search Command to identify a Port Scan attack

Kai191 — Fri, 17 May 2013 09:07:13 GMT

With the qns above, if I were to detect a port scan, it's not possible as the number would exceed more high than port scan if I were to used internet, so, any solution??

Re: Search Command to identify a Port Scan attack

kristian_kolb — Fri, 17 May 2013 10:39:35 GMT

Sorry, I don't really understand that question.