Splunk query for port scan

dsdeepak · ‎10-01-2020

Hi All,

I am looking for splunk query to detect vertical and horizontal port scan in the Infra. Any help in this regard will be appreciable. Here is query in layman language.

Vertical Port Scan:

1. External IP performing scan on single system for multiple ports

Horizontal Port Scan:

1. External IP is scanning multiple systems for querying single port.

richgalloway · ‎10-01-2020

Check out Basic Scanning in the Splunk Security Essentials app.

---
If this reply helps you, Karma would be appreciated.

thambisetty · ‎10-01-2020

you might get so many alerts if you create alert based on static thresholds

Below is the search uses static threshold

vertical:

index=trafficlogs

| stats dc(dest_port) as dc_dest_port by src, dest

| where dc_dest_port > 10

horizontal:

index=trafficlogs

| stats dc(dest) as dc_dest by src, dest_port

| where dc_dest > 10

10 is threshold here.

————————————
If this helps, give a like below.

Splunk query for port scan

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation

Splunk query for port scan

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...