Hi All,
I am looking for splunk query to detect vertical and horizontal port scan in the Infra. Any help in this regard will be appreciable. Here is query in layman language.
Vertical Port Scan:
1. External IP performing scan on single system for multiple ports
Horizontal Port Scan:
1. External IP is scanning multiple systems for querying single port.
Check out Basic Scanning in the Splunk Security Essentials app.
you might get so many alerts if you create alert based on static thresholds
Below is the search uses static threshold
vertical:
index=trafficlogs
| stats dc(dest_port) as dc_dest_port by src, dest
| where dc_dest_port > 10
horizontal:
index=trafficlogs
| stats dc(dest) as dc_dest by src, dest_port
| where dc_dest > 10
10 is threshold here.