discuss.elastic.co Open in urlscan Pro
2602:fd3f:3:ff02::4b  Public Scan

Form analysis
1 forms found in the DOM

POST /login

<form id="hidden-login-form" method="post" action="/login" style="display: none;">
  <input name="username" type="text" id="signin_username">
  <input name="password" type="password" id="signin_password">
  <input name="redirect" type="hidden">
  <input type="submit" id="signin-button" value="Log In">
</form>

Text Content

Skip to main content

Sign UpLog In
 * 
 * 
 * 
   
 * 


 * Topics
   
   
   
   
 * More
   

Categories
 * Announcements
 * Elastic Stack
 * Elastic Search
 * Elastic Observability
 * Elastic Security
 * All categories

Tags
 * filebeat
 * docker
 * elastic-stack-security
 * metricbeat
 * elastic-stack-alerting
 * All tags



DETECT HORIZONTAL PORT SCAN

Elastic Security


You have selected 0 posts.

select all

cancel selecting

May 2021
1 / 3
May 2021

Jun 2021

pmorenosiPablo
2
May 2021


Hello everyone, From the logs that I have stored in Elasticsearch from a
Firewall, I need to detect a type of attack called "Horizontal Port Scan" that
is defined as follows:

Unique source IP address that has "N" different destinations and all go to the
same port in a specified time.

Source IP ----> N Destinations ---> Same Port
| ------------------------------ 2 hours ----------------- ------->

the formulation of the question would be as follows:

What IP address has 20 different destination IP addresses to the same
destination port in the last 2 hours?

the names of the fields are:

srcip (source IP / type IP), dstip (Destination IP / type IP) and port (port /
type integer)

Thank you so much





 * CREATED
   
   May 2021

 * LAST REPLY
   
   Jun 2021
 * 2
   
   REPLIES

 * 2.7k
   
   VIEWS

 * 2
   
   USERS

 * 1
   
   LIKE

   
 * 


Mike_PaquetteElastic Team Member
May 2021


Hi @pmorenosi, welcome to our Community!

Glad to see you are trying out the detection rules within the Elastic
SIEM/Security solution.

> Source IP ----> N Destinations ---> Same Port
> | ------------------------------ 2 hours ----------------- ------->
> the formulation of the question would be as follows:
> What IP address has 20 different destination IP addresses to the same
> destination port in the last 2 hours?

One idea is to create your own rule using the Threshold rule type in the 7.12
version. It has capabilities to do what you're looking for, like this.



image1296×1534 204 KB



> the names of the fields are:
> srcip (source IP / type IP), dstip (Destination IP / type IP) and port (port /
> type integer)

You'll notice that my example above used different field names than yours. The
fields I used are defined by Elastic Common Schema 2 (ECS).

The Elastic SIEM/Security app, including its detection rules, signals, and
detection alerts, requires your data to be indexed in an ECS-compliant format.
ECS is an open source, community-developed schema that specifies field names and
Elasticsearch data types for each field, and provides descriptions and example
usage.

The easiest way to get your data in ECS-compliant format is to use an
Elastic-supplied beat module, (e.g., filebeat or Elastic Agent integration),
which will ingest and index your data in an ECS-compliant format. Elastic
provides a growing list of these integrations that you can find on our
Integrations page 4.

What kind of firewall logs are you working with? There are integrations already
created for a number of firewalls such as Barracuda, Cisco, CheckPoint, Palo
Alto, and more.

General guidelines 1 for creating ECS-compliant data:

 1. Each indexed document (e.g., your log, event, etc.) MUST have the @timestamp
    field.
 2. Your index mapping template must specify the Elasticsearch field data type
    for each field as defined by ECS. For example, your @timestamp field must be
    of the date field data type, etc.. This ensures that there will not be any
    mapping conflicts in your indices.
 3. The original fields from your log/event SHOULD be copied/renamed/converted
    to the corresponding ECS-defined field name and data type.
 4. Additional ECS fields, such as the ECS Categorization fields SHOULD be
    populated for each log/event, to allow proper inclusion of your data into
    dashboards and detection rules.

Here's a simple graphic that I created to help get this point across.



image1068×566 114 KB



Please let us know if this helps.

1



28 days later

Closed on Jun 15, 2021



This topic was automatically closed 28 days after the last reply. New replies
are no longer allowed.




Reply




NEW & UNREAD TOPICS

Topic Replies Views Activity Timeline Error - a.reduce is not a function
Elastic Security
3 62 16d Import / update value list (items) via api
Elastic Security
4 67 15d Security Elasticsearch version 8.12
Elastic Security
1 110 14d Combine data views in Timeline Template
Elastic Security
1 57 18d Blocking Removable Media with Elastic Agent
Elastic Security
1 35 19h


WANT TO READ MORE? BROWSE OTHER TOPICS IN ELASTIC SECURITY OR VIEW LATEST
TOPICS.





© 2020. All Rights Reserved - Elasticsearch

 * Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and
   in other countries
 * Trademarks
 * Terms
 * Privacy
 * Brand
 * Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo
are trademarks of the Apache Software Foundation in the United States and/or
other countries.

 * 
 * 
 * 
 * 
 * 








Invalid date Invalid date






Notice

This website or its third-party tools use cookies, which are necessary to its
functioning and required to achieve the purposes illustrated in the cookie
policy. If you want to know more or withdraw your consent to all or some of the
cookies, please refer to the cookie policy.
By closing this banner, scrolling this page, clicking a link or continuing to
browse otherwise, you agree to the use of cookies.