Splunk Search

Splunk query for port scan

dsdeepak
Explorer

Hi All,

I am looking for splunk query to detect vertical and horizontal port scan in the Infra. Any help in this regard will be appreciable. Here is query in layman language.

Vertical Port Scan:

1. External IP performing scan on single system for multiple ports

Horizontal Port Scan:

1.  External IP is scanning multiple systems for querying single port.  

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Check out Basic Scanning in the Splunk Security Essentials app.

---
If this reply helps you, Karma would be appreciated.
0 Karma

thambisetty
SplunkTrust
SplunkTrust

you might get so many alerts if you create alert based on static thresholds

Below is the search uses static threshold

vertical:

index=trafficlogs 

| stats dc(dest_port) as dc_dest_port by src, dest

| where dc_dest_port > 10

horizontal:

index=trafficlogs

| stats dc(dest) as dc_dest by src, dest_port

| where dc_dest > 10

10 is threshold here.

————————————
If this helps, give a like below.
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...