PH_Rule_Flow_1B
Enabled
Detects excessive permitted TCP connections from the same source to many distinct destinations in a short period of time. The threshold is 200 flows within 3 minutes. Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blocklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers.
7
Security
Discovery
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
https://attack.mitre.org/tactics/TA0007T1018
Remote System Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping, net view, bonjour etc.
https://attack.mitre.org/techniques/T1018T1590.003
Gather Victim Network Information: Network Trust Dependencies
Before compromising a victim, adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.
https://attack.mitre.org/techniques/T1590/003T1590.004
Gather Victim Network Information: Network Topology
Before compromising a victim, adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.
https://attack.mitre.org/techniques/T1590/004T1590.005
Gather Victim Network Information: IP Addresses
Before compromising a victim, adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
https://attack.mitre.org/techniques/T1590/005T1595.001
Active Scanning: Scanning IP Blocks
Before compromising a victim, adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
https://attack.mitre.org/techniques/T1595/001Network
FortiGate via Syslog or Netflow, Cisco IOS via Syslog or Netflow, Checkpoint via Syslog or Netflow, Palo Alto via Syslog or Netflow
Correlation
No remediation guidance specified
If the following pattern or patterns match an ingested event within the given time window in seconds, trigger an incident.
180 secondsIf the following defined pattern/s occur within a 180 second time window.
HostScanTCPThis is the named definition of the event query, this is important if multiple subpatterns are defined to distinguish them.
This is the query logic that matches incoming events
ipProto = 6 AND eventType IN (Group@PH_SYS_EVENT_PermitNetTraffic, Group@PH_SYS_EVENT_NetflowTraffic, Group@PH_SYS_EVENT_BiNetflowTraffic) AND srcIpAddr NOT IN (Group@PH_SYS_APP_ACCELOPS,Group@PH_SYS_DEVICE_FSM) AND srcIpAddr IN (Group@PH_SYS_NETWORK_ENTERPRISE_INTERNAL_NET)This defines how matching events are aggregated, only events with the same matching attribute values are grouped into one unique incident ID
srcIpAddrThis is most typically a numerical constraint that defines when the rule should trigger an incident
COUNT (DISTINCT destIpAddr) >= 200This section defines which fields in matching raw events should be mapped to the incident attributes in the resulting incident.
The available raw event attributes to map are limited to the group by attributes and the aggregate event constraint fields for each subpattern
srcIpAddr = HostScanTCP.srcIpAddr,
incidentCount = HostScanTCP.COUNT (DISTINCT destIpAddr)