################################################################
# Sample SEC ruleset for "PORTSCAN FROM ip1 TO ip2:port" events
################################################################
# process "PORTSCAN FROM ip1 TO ip2:port" events, and if a certain
# source host has scanned the same destination port on more than
# 10 distinct destination hosts during 60 seconds, raise an alarm
type=Single
ptype=RegExp
pattern=PORTSCAN FROM (\S+) TO \S+:(\d+)
context=!HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$2
continue=TakeNext
desc=Horizontal port sweep started from source $1 to target port $2
action=eval %o ( $portscans{"$1:$2"} = {} ); \
create HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$2 60 \
eval %o ( delete $portscans{"$1:$2"} )
type=Single
ptype=RegExp
pattern=PORTSCAN FROM (\S+) TO (\S+):(\d+)
context=HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3
continue=TakeNext
desc=Scanned destination IP: $2
action=eval %o ( $portscans{"$1:$3"}->{$2} = 1 ); \
add HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 %t: %s;\
set HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 60 \
eval %o ( delete $portscans{"$1:$3"} )
type=Single
ptype=RegExp
pattern=PORTSCAN FROM (\S+) TO (\S+):(\d+)
context=HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 \
&& =( scalar(keys(%{$portscans{"$1:$3"}})) > 10 )
continue=DontCont
desc=$1 has scanned more than 10 destinations
action=report HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 \
mail -s 'Horizontal port sweep from $1 target port $3' root@localhost; \
delete HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3; \
eval %o ( delete $portscans{"$1:$3"} )
distrib
>
Mandriva
>
2010.2
>
i586
>
media
>
contrib-release-src
>
by-pkgid
>
f419db9e0a33558a981504f72042bf17
>
files
>
16
