Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Recon Theme

 

Use the JSA Recon Theme Content Extension for focus on reconnaissance events and detection.

JSA Recon Theme Content Extension V1.0.2

The following table shows the building blocks that are updated in JSA Recon Theme Content Extension V1.0.2.

Table 1: Building Blocks in JSA Recon Theme Content Extension V1.0.2

Name

Description

BB:HostDefinition: Proxy Servers

Added BB:PortDefinition: Proxy Ports to the rule test.

BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination

Removed rule condition: "and when the flow type is one of these flow types."

BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code

Removed rule condition: "and when the flow type is one of these flow types."

BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0

Removed rule condition: "and when the flow type is one of these flow types."

BB:CategoryDefinition: Unidirectional Flow SRC

BB:Flowshape: Outbound Only

Matches flows that are outbound only.

BB:CategoryDefinition: Recon Event Categories

Edit this building block to include all events that indicate reconnaissance activity.

BB:CategoryDefinition: Suspicious Event Categories

Edit this building block to include all events that indicate suspicious activity.

BB:Threats: Scanning: ICMP Scan Low

Identifies a low level of ICMP reconnaissance.

BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows

Identifies bidirectional traffic that doesn't include payload.

BB:Threats: Scanning: Scan High

Identifies a high level of potential reconnaissance.

BB:CategoryDefinition: Unidirectional Flow

BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Replys

Identifies traffic where ICMP replies are seen with no request.

BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows

Identifies unidirectional ICMP flows.

BB:Flowshape: Inbound Only

Matches flows that are inbound only.

BB:NetworkDefinition: Honeypot like Addresses

Edit this building block by replacing the other network with the network objects defined in your network hierarchy that aren’t currently used in your network or that are used in a honeypot or tarpit installation.

After these are defined, you must enable the Anomaly: Potential Honeypot Access rule. To generate events based on attempted access, you must also add a security/policy sentry to these network objects.

BB:CategoryDefinition: Recon Flows

Edit this building block to include all events that indicate suspicious activity.

BB:Threats: Port Scans: UDP Port Scan

Identifies UDP based port scans.

BB:Threats: Scanning: ICMP Scan Medium

Identifies a medium level of ICMP reconnaissance.

BB:Threats: Scanning: Empty Responsive Flows Low

Detects potential reconnaissance activity where the source packet count is greater than 500.

BB:CategoryDefinition: Suspicious Flows

Edit this building block to include all events that indicate suspicious activity.

BB:CategoryDefinition: Suspicious Events

Edit this building block to include all events that indicate suspicious activity.

BB:Threats: Suspicious IP Protocol Usage: Long Duration Outbound Flow

Identifies flows that have been active for more than 48 hours.

BB:Threats: Scanning: Empty Responsive Flows Medium

Detects potential reconnaissance activity where the source packet count is greater than 5,000.

BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets

Identifies flows with abnormally large ICMP packets.

BB:Threats: Scanning: ICMP Scan High

Identifies a high level of ICMP reconnaissance.

BB:Threats: Port Scans: Host Scans

Identifies potential reconnaissance by flows.

BB:Threats: Scanning: Scan Medium

Identifies a medium level of potential reconnaissance.

BB:Threats: Scanning: Scan Low

Identifies a low level of potential reconnaissance.

BB:CategoryDefinition: Recon Events

Edit this building block to include all events that indicate reconnaissance activity.

BB:Threats: Scanning: Potential Scan

Identifies potential reconnaissance by flows.

BB:CategoryDefinition: Unidirectional Flow DST

BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows

Identifies unidirectional TCP flows.

BB:Threats: Scanning: Empty Responsive Flows High

Detects potential reconnaissance activity where the source packet count is greater than 100,000.

BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets

Identifies flows with abnormally large DNS packets.

BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows

Identifies unidirectional UDP and other miscellaneous flows.

BB:Suspicious: Remote: Unidirectional UDP or Misc Flows

Detects an excessive number of unidirectional UDP and miscellaneous flows that are from a single source.

BB:Suspicious: Local: Unidirectional UDP or Misc Flows

Detects an excessive number of unidirectional UDP and miscellaneous flows that are from a single source.

JSA Recon Theme Content Extension V1.0.0

The following reference sets were added in JSA Recon Theme Content Extension V1.0.0.

  • Database Servers

  • DHCP Servers

  • DNS Servers

  • FTP Servers

  • LDAP Servers

  • Mail Servers

  • Proxy Servers

  • SSH Servers

  • Web Servers

  • Windows Servers

The following rules building blocks were added in JSA Recon Theme Content Extension V1.0.0.

Table 2: Rules and Building Blocks in JSA Recon Theme Content Extension V1.0.0

Type

Name

Description

Building Block

BB:CategoryDefinition: Recon Event Categories

Edit this building block to include all events that indicate reconnaissance activity.

Building Block

BB:CategoryDefinition: Recon Events

Edit this building block to include all events that indicate reconnaissance activity.

Building Block

BB:CategoryDefinition: Recon Flows

Edit this building block to include all events that indicate suspicious activity.

Building Block

BB:CategoryDefinition: Suspicious Event Categories

Edit this building block to include all events that indicate suspicious activity.

Building Block

BB:CategoryDefinition: Suspicious Events

Edit this building block to include all events that indicate suspicious activity.

Building Block

BB:CategoryDefinition: Suspicious Flows

Edit this building block to include all events that indicate suspicious activity.

Building Block

BB:CategoryDefinition: Unidirectional Flow

 

Building Block

BB:CategoryDefinition: Unidirectional Flow DST

 

Building Block

BB:CategoryDefinition: Unidirectional Flow SRC

 

Building Block

BB:Flowshape: Inbound Only

Matches flows that are inbound only.

Building Block

BB:Flowshape: Outbound Only

Macthes flows that are outbound only.

Building Block

BB:HostDefinition: Database Servers

Edit this building block to define typical database servers. This building block is used in conjunction with the BB:FalsePositive: Database Server False Positive Categories and BB:FalsePositive: Database Server False Positive Events building blocks.

Building Block

BB:HostDefinition: DHCP Servers

Edit this building block to define typical DHCP servers. This building block is used in conjunction with the BB:False Positive: DHCP Server False Positives Categories and BB:FalsePositve: DHCP Server False Positive Events building blocks.

Building Block

BB:HostDefinition: DNS Servers

Edit this building block to define typical DNS servers. This building block is used in conjunction with the BB:FalsePositive: DNS Server False Positives Categories and BB:FalsePositve: DNS Server False Positive Events building blocks.

Building Block

BB:HostDefinition: FTP Servers

Edit this building block to define typical FTP servers. This building block is used in conjunction with the BB:False Positive: FTP Server False Positives Categories and BB:FalsePositve: FTP Server False Positive Events building blocks.

Building Block

BB:HostDefinition: LDAP Servers

Edit this building block to define typical LDAP servers. This building block is used in conjunction with the BB:False Positive: LDAP Server False Positives Categories and BB:FalsePositve: LDAP Server False Positive Events building blocks.

Building Block

BB:HostDefinition: Mail Servers

Edit this building block to define typical mail servers. This building block is used in conjunction with the BB:False Positive: Mail Server False Positives Categories and BB:FalsePositve: Mail Server False Positive Events building blocks.

Building Block

BB:HostDefinition: Network Management Servers

Edit this building block to define typical network management servers.

Building Block

BB:HostDefinition: Proxy Servers

Edit this building block to define typical proxy servers. This building block is used in conjunction with the BB:False Positive: Proxy Server False Positives Categories and BB:FalsePositve: Proxy Server False Positive Events building blocks.

Building Block

BB:HostDefinition: RPC Servers

Edit this building block to define typical RPC servers. This building block is used in conjunction with the BB:False Positive: RPC Server False Positives Categories and BB:FalsePositve: RPC Server False Positive Events building blocks.

Building Block

BB:HostDefinition: Servers

Edit this building block to define generic servers.

Building Block

BB:HostDefinition: SNMP Sender or Receiver

Edit this building block to define SNMP senders or receivers. This building block is used in conjunction with the BB:PortDefinition: SNMP Ports building block.

Building Block

BB:HostDefinition: SSH Servers

Edit this building block to define typical SSH servers. This building block is used in conjunction with the BB:False Positive: SSH Server False Positives Categories and BB:FalsePositve: SSH Server False Positive Events building blocks.

Building Block

BB:HostDefinition: Virus Definition and Other Update Servers

Edit this building block to include all servers that include virus protection and update functions.

Building Block

BB:HostDefinition: Web Servers

Edit this building block to define typical web servers. This building block is used in conjunction with the BB:False Positive: Web Server False Positives Categories and BB:FalsePositve: Web Server False Positive Events building blocks.

Building Block

BB:HostDefinition: Windows Servers

Edit this building block to define typical Windows servers, such as domain controllers or exchange servers. This building block is used in conjunction with the BB:False Positive: Windows Server False Positives Categories and BB:FalsePositve: Windows Server False Positive Events building blocks.

Building Block

BB:HostReference: Database Servers

 

Building Block

BB:HostReference: DHCP Servers

 

Building Block

BB:HostReference: DNS Servers

 

Building Block

BB:HostReference: FTP Servers

 

Building Block

BB:HostReference: LDAP Servers

 

Building Block

BB:HostReference: Mail Servers

 

Building Block

BB:HostReference: Proxy Servers

 

Building Block

BB:HostReference: SSH Servers

 

Building Block

BB:HostReference: Web Servers

 

Building Block

BB:HostReference: Windows Servers

 

Building Block

BB:NetworkDefinition: Honeypot like Addresses

Edit this building block by replace the other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Anomaly: Potential Honeypot Access rule. You must also add a security/policy sentry to these network objects to generate events based on attempted access

Building Block

BB:PortDefinition: Database Ports

Edit this building block to include all common database ports.

Building Block

BB:PortDefinition: DHCP Ports

Edit this building block to include all common DHCP ports.

Building Block

BB:PortDefinition: DNS Ports

Edit this building block to include all common DNS ports.

Building Block

BB:PortDefinition: FTP Ports

Edit this building block to include all common FTP ports.

Building Block

BB:PortDefinition: Game Server Ports

Edit this building block to include all common game server ports.

Building Block

BB:PortDefinition: IM Ports

Edit this building block to include all common IM ports.

Building Block

BB:PortDefinition: IRC Ports

Edit this building block to include all common IRC ports.

Building Block

BB:PortDefinition: LDAP Ports

Edit this building block to include all common ports used by LDAP servers.

Building Block

BB:PortDefinition: Mail Ports

Edit this building block to include all common ports used by mail servers.

Building Block

BB:PortDefinition: P2P Ports

Edit this building block to include all common ports used by Peer-to-Peer (P2P) servers.

Building Block

BB:PortDefinition: Proxy Ports

Edit this building block to include all common ports used by proxy servers.

Building Block

BB:PortDefinition: RPC Ports

Edit this building block to include all common ports used by RPC servers.

Building Block

BB:PortDefinition: SNMP Ports

Edit this building block to include all common ports used by SNMP senders or receivers.

Building Block

BB:PortDefinition: SSH Ports

Edit this building block to include all common ports used by SSH servers.

Building Block

BB:PortDefinition: Web Ports

Edit this building block to include all common ports used by Web servers.

Building Block

BB:PortDefinition: Windows Ports

Edit this building block to include all common ports used by Windows servers.

Building Block

BB:ProtocolDefinition: Windows Protocols

Edit this building block to include all common protocols (not including TCP) used by Windows servers that will be ignored for false positive tuning rules.

Building Block

BB:ReconDetected: Devices That Merge Recon into Single Events

Edit this building block to include all devices that accumulate reconnaissance across multiple hosts or ports into a single event. This rule forces these events to become offenses.

Building Block

BB:Suspicious: Local: Unidirectional UDP or Misc Flows

Detects an excessive number of unidirectional UDP and miscellaneous flows from a single source.

Building Block

BB:Suspicious: Remote: Unidirectional UDP or Misc Flows

Detects an excessive number of unidirectional UDP and miscellaneous flows from a single source.

Building Block

BB:Threats: Port Scans: Host Scans

Identifies potential reconnaissance by flows.

Building Block

BB:Threats: Port Scans: UDP Port Scan

Identifies UDP based port scans.

Building Block

BB:Threats: Scanning: Empty Responsive Flows High

Detects potential reconnaissance activity where the source packet count is greater than 100,000.

Building Block

BB:Threats: Scanning: Empty Responsive Flows Low

Detects potential reconnaissance activity where the source packet count is greater than 500.

Building Block

BB:Threats: Scanning: Empty Responsive Flows Medium

Detects potential reconnaissance activity where the source packet count is greater than 5,000.

Building Block

BB:Threats: Scanning: ICMP Scan High

Identifies a high level of ICMP reconnaissance.

Building Block

BB:Threats: Scanning: ICMP Scan Low

Identifies a low level of ICMP reconnaissance.

Building Block

BB:Threats: Scanning: ICMP Scan Medium

Identifies a medium level of ICMP reconnaissance.

Building Block

BB:Threats: Scanning: Potential Scan

Identifies potential reconnaissance by flows.

Building Block

BB:Threats: Scanning: Scan High

Identifies a high level of potential reconnaissance.

Building Block

BB:Threats: Scanning: Scan Low

Identifies a low level of potential reconnaissance.

Building Block

BB:Threats: Scanning: Scan Medium

Identifies a medium level of potential reconnaissance.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination

Identifies flows that have an illegal TCP flag combination.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets

Identifies flows with abnormaly large DNS packets

Building Block

BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets

Identifies flows with abnormaly large ICMP packets

Building Block

BB:Threats: Suspicious IP Protocol Usage: Long Duration Outbound Flow

Identifies flows that have been active for more than 48 hours

Building Block

BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code

Identifies ICMP flows with suspicious ICMP type codes.

Building Block

BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0

Identifies suspicious flows using port 0.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows

Identifies unidirectional ICMP flows.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Replys

Identifies traffic where ICMP replies are seen with no request.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows

Identifies bidirectional traffic that doesn't include payload.

Building Block

BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows

Identifies unidirectional TCP flows.

Building Block

BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows

Identifies unidirectional UDP and other miscellaneous flows.

Rule

Local L2L Database Scanner

Reports a scan from a local host against other local targets. At least 30 hosts were scanned in 10 minutes.

Rule

Local L2L DHCP Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common DHCP ports to more than 60 hosts in 10 minutes.

Rule

Local L2L DNS Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes.

Rule

Local L2L FTP Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.

Rule

Local L2L Game Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common game server ports to more than 60 hosts in 10 minutes.

Rule

Local L2L ICMP Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes.

Rule

Local L2L IM Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes.

Rule

Local L2L IRC Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes.

Rule

Local L2L LDAP Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common LDAP ports to more than 60 hosts in 10 minutes.

Rule

Local L2L Mail Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common mail server ports to more than 60 hosts in 10 minutes.

Rule

Local L2L P2P Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes.

Rule

Local L2L Proxy Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common proxy server ports to more than 60 hosts in 10 minutes.

Rule

Local L2L RPC Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common RPC server ports to more than 60 hosts in 10 minutes.

Rule

Local L2L SNMP Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common SNMP server ports to more than 60 hosts in 10 minutes.

Rule

Local L2L SSH Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.

Rule

Local L2L Suspicious Probe Events Detected

Reports when various suspicious or reconnaissance events have been detected from the same local source IP address to more than 5 destination IP address in 4 minutes. This can indicate various forms of host probing, such as Nmap reconnaissance, which attempts to identify the services and operation systems of the target.

Rule

Local L2L TCP Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes.

Rule

Local L2L UDP Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes.

Rule

Local L2L Web Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes.

Rule

Local L2L Windows Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common Windows server ports to more than 200 hosts in 20 minutes. This can be false positive prone for busy windows servers.

Rule

Local L2R Database Scanner

Reports a scan from a local host against other remote targets. At least 30 hosts were scanned in 10 minutes.

Rule

Local L2R DHCP Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common DHCP ports to more than 60 hosts in 10 minutes.

Rule

Local L2R DNS Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes.

Rule

Local L2R FTP Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.

Rule

Local L2R Game Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common game server ports to more than 60 hosts in 10 minutes.

Rule

Local L2R ICMP Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes.

Rule

Local L2R IM Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes.

Rule

Local L2R IRC Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes.

Rule

Local L2R LDAP Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common LDAP ports to more than 60 hosts in 10 minutes.

Rule

Local L2R Mail Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common mail server ports to more than 60 hosts in 10 minutes.

Rule

Local L2R P2P Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes.

Rule

Local L2R Proxy Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common proxy server ports to more than 60 hosts in 10 minutes.

Rule

Local L2R RPC Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common RPC server ports to more than 60 hosts in 10 minutes.

Rule

Local L2R SNMP Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common SNMP server ports to more than 60 hosts in 10 minutes.

Rule

Local L2R SSH Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.

Rule

Local L2R Suspicious Probe Events Detected

Reports when various suspicious or reconnaissance events have been detected from the same local source IP address to more than 5 destination IP address in 4 minutes. This can indicate various forms of host probing, such as Nmap reconnaissance, which attempts to identify the services and operation systems of the target.

Rule

Local L2R TCP Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes.

Rule

Local L2R UDP Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes.

Rule

Local L2R Web Server Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common remote web server ports to more than 400 hosts in 10 minutes.

Rule

Local Windows Scanner to Internet

Reports a source IP address attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 20 minutes. This is classic worm behavior.

Rule

Remote Database Scanner

Reports a scan from a remote host against other local or remote targets. At least 30 hosts were scanned in 10 minutes.

Rule

Remote DHCP Scanner

Reports a remote host attempting reconnaissance or suspicious connections on common DHCP ports to more than 30 hosts in 10 minutes.

Rule

Remote DNS Scanner

Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes.

Rule

Remote FTP Scanner

Reports a remote host attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.

Rule

Remote Game Server Scanner

Reports a remote host attempting reconnaissance or suspicious connections on common game server ports to more than 30 hosts in 10 minutes.

Rule

Remote ICMP Scanner

Reports a remote host attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes.

Rule

Remote IM Server Scanner

Reports a remote host attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes.

Rule

Remote IRC Server Scanner

Reports a remote host attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes.

Rule

Remote LDAP Server Scanner

Reports a scan from a remote host against other local or remote targets. At least 30 hosts were scanned in 10 minutes.

Rule

Remote Mail Server Scanner

Reports a remote host attempting reconnaissance or suspicious connections on common mail server ports to more than 30 hosts in 10 minutes.

Rule

Remote P2P Scanner

Reports a remote host attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes.

Rule

Remote Proxy Server Scanner

Reports a remote host attempting reconnaissance or suspicious connections on common proxy server ports to more than 30 hosts in 10 minutes.

Rule

Remote RPC Server Scanner

Reports a remote host attempting reconnaissance or suspicious connections on common RPC server ports to more than 30 hosts in 10 minutes.

Rule

Remote SNMP Scanner

Reports scans from a remote host against local or remote targets. At least 30 hosts were scanned in 10 minutes.

Rule

Remote SSH Server Scanner

Reports a remote host attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.

Rule

Remote Suspicious Probe Events Detected

Reports various suspicious or reconnaissance events from the same remote source IP address to more then 5 destination IP addresses in 4 minutes. This may indicate various forms of host probing, such as Nmap reconnaissance that attempts to identify the services and operating system of the targets.

Rule

Remote TCP Scanner

Reports a remote host attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes.

Rule

Remote UDP Scanner

Reports a remote host attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes.

Rule

Remote Web Server Scanner

Reports a remote host attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes.

Rule

Remote Windows Server Scanner

Reports a remote host attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 10 minutes.

Rule

Single Merged Recon Events Local Scanner

Reports merged reconnaissance events generated by some devices. This rule causes all these events to create an offense. All devices of this type and their categories should be added to the BB:ReconDetected: Devices which Merge Recon into Single Events building block.

Rule

Single Merged Recon Events Remote Scanner

Reports merged reconnaissance events generated by some devices. All devices of this type and their categories should be added to the BB:ReconDetected: Devices which Merge Recon into Single Events building block.