Network Scans Count By Destination IP

level
status test

Detects many failed connection attempts to different ports or hosts

Known false-positives

  • Inventarization systems
  • Vulnerability scans
  • Penetration testing activity

Raw rule (edit)

title: Network Scans Count By Destination IP
id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8
status: test
description: Detects many failed connection attempts to different ports or hosts
author: Thomas Patzke
date: 2017/02/19
modified: 2021/11/27
logsource:
  category: firewall
detection:
  selection:
    action: denied
  timeframe: 24h
  condition: selection | count(dst_ip) by src_ip > 10
fields:
  - src_ip
  - dst_ip
  - dst_port
falsepositives:
  - Inventarization systems
  - Vulnerability scans
  - Penetration testing activity
level: medium
tags:
  - attack.discovery
  - attack.t1046

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.