Port scan detection from Firewall Logs

420 views
Skip to first unread message

Ranjith Kesavan

unread,
Nov 24, 2021, 10:51:06 AM11/24/21
to Wazuh mailing list
Team, 

We are facing an unexpected behavior with using <different_field> tag on Rules to detect port scanning attack from Firewall rules. We are using dynamic field names in Wazuh. 

I read the article https://groups.google.com/g/wazuh/c/qYqaeIbIV9w/m/YksPAKJzBQAJ and followed the suggestions. 

Rule Logic: Alert if 10 traffic logs seen from Same IP with different/unique destination ports in 60 seconds. 

<rule id="900514" level="10" timeframe="60" frequency="10">          <if_matched_sid>900102</if_matched_sid>
<different_field>destination.port</different_field>
<same_filed>source.ip</same_field>
<description>Port scanning detected</description>
 </rule>

However, what's happening is Wazuh is looking for 9 logs with the same port number and if it sees the destination ports changes in the 10th packet, the alert is triggered. Sample logs that triggered the alert for the above rule . The below set of rules were used to test the rule and found it to be triggered. If you see, only the last dstport is different. What we are looking for is completely unique 10 dstports. Is there any way to accomplish this ?

date=2021-11-24 time=19:00:09 devname="MDPB-FG-Sample" devid="FG6H1ETB21903296" eventtime=1637766010311689302 tz="+0400" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="FG-EDGE" srcip=10.1.175.18 srcport=41279 srcintf="port7" srcintfrole="dmz" dstip=10.2.237.142  dstport=514   dstintf="EDGE-to-DC0" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=617263522 proto=17 action="deny" policyid=0 policytype="policy" service="SYSLOG" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
date=2021-11-24 time=19:00:09 devname="MDPB-FG-Sample" devid="FG6H1ETB21903296" eventtime=1637766010311562209 tz="+0400" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="FG-EDGE" srcip=10.1.175.18 srcport=41279 srcintf="port7" srcintfrole="dmz" dstip=10.2.237.142  dstport=514   dstintf="EDGE-to-DC0" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=617263521 proto=17 action="deny" policyid=0 policytype="policy" service="SYSLOG" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
date=2021-11-24 time=19:00:09 devname="MDPB-FG-Sample" devid="FG6H1ETB21903296" eventtime=1637766010288706235 tz="+0400" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="FG-EDGE" srcip=192.168.11.15 srcport=37741 srcintf="port4" srcintfrole="dmz" dstip=10.2.236.7  dstport=514   dstintf="EDGE-to-DC0" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=617263519 proto=17 action="deny" policyid=0 policytype="policy" service="DNS-53-UDP" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
date=2021-11-24 time=19:00:09 devname="MDPB-FG-Sample" devid="FG6H1ETB21903296" eventtime=1637766010299562353 tz="+0400" logid="0001000014" type="traffic" subtype="local" level="notice" vd="FG-DC" srcip=fe80::1edf:fff:fe44:7668 srcport=546 srcintf="x1.888" srcintfrole="lan" dstip=ff02::1:2  dstport=514   dstintf="FG-DC" dstintfrole="undefined" sessionid=14020321 proto=17 action="deny" policyid=0 policytype="local-in-policy6" service="DHCP6" trandisp="noop" app="DHCP6" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" srchwvendor="Cisco" devtype="Network" srcfamily="Router" srchwversion="Aironet" mastersrcmac="1c:df:0f:44:76:68" srcmac="1c:df:0f:44:76:68" srcserver=0
date=2021-11-24 time=19:00:09 devname="MDPB-FG-Sample" devid="FG6H1ETB21903296" eventtime=1637766010311689302 tz="+0400" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="FG-EDGE" srcip=10.1.175.18 srcport=41279 srcintf="port7" srcintfrole="dmz" dstip=10.2.237.142 dstport=514 dstintf="EDGE-to-DC0" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=617263522 proto=17 action="deny" policyid=0 policytype="policy" service="SYSLOG" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
date=2021-11-24 time=19:00:09 devname="MDPB-FG-Sample" devid="FG6H1ETB21903296" eventtime=1637766010311562209 tz="+0400" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="FG-EDGE" srcip=10.1.175.18 srcport=41279 srcintf="port7" srcintfrole="dmz" dstip=10.2.237.142 dstport=514 dstintf="EDGE-to-DC0" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=617263521 proto=17 action="deny" policyid=0 policytype="policy" service="SYSLOG" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
date=2021-11-24 time=19:00:09 devname="MDPB-FG-Sample" devid="FG6H1ETB21903296" eventtime=1637766010288706235 tz="+0400" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="FG-EDGE" srcip=192.168.11.15 srcport=37741 srcintf="port4" srcintfrole="dmz" dstip=10.2.236.7 dstport=514 dstintf="EDGE-to-DC0" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=617263519 proto=17 action="deny" policyid=0 policytype="policy" service="DNS-53-UDP" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
date=2021-11-24 time=19:00:09 devname="MDPB-FG-Sample" devid="FG6H1ETB21903296" eventtime=1637766010299562353 tz="+0400" logid="0001000014" type="traffic" subtype="local" level="notice" vd="FG-DC" srcip=fe80::1edf:fff:fe44:7668 srcport=546 srcintf="x1.888" srcintfrole="lan" dstip=ff02::1:2 dstport=514 dstintf="FG-DC" dstintfrole="undefined" sessionid=14020321 proto=17 action="deny" policyid=0 policytype="local-in-policy6" service="DHCP6" trandisp="noop" app="DHCP6" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" srchwvendor="Cisco" devtype="Network" srcfamily="Router" srchwversion="Aironet" mastersrcmac="1c:df:0f:44:76:68" srcmac="1c:df:0f:44:76:68" srcserver=0
date=2021-11-24 time=19:00:09 devname="MDPB-FG-Sample" devid="FG6H1ETB21903296" eventtime=1637766010311689302 tz="+0400" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="FG-EDGE" srcip=10.1.175.18 srcport=41279 srcintf="port7" srcintfrole="dmz" dstip=10.2.237.142 dstport=514 dstintf="EDGE-to-DC0" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=617263522 proto=17 action="deny" policyid=0 policytype="policy" service="SYSLOG" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
date=2021-11-24 time=19:00:09 devname="MDPB-FG-Sample" devid="FG6H1ETB21903296" eventtime=1637766010311562209 tz="+0400" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="FG-EDGE" srcip=10.1.175.18 srcport=41279 srcintf="port7" srcintfrole="dmz" dstip=10.2.237.142 dstport=2300 dstintf="EDGE-to-DC0" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=617263521 proto=17 action="deny" policyid=0 policytype="policy" service="SYSLOG" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"

Dario Menten

unread,
Nov 25, 2021, 10:11:46 AM11/25/21
to Wazuh mailing list

Hello Ranjith,
The logic you are looking for is not possible with that rule, because the different_field does not look for the X number of unique values, it checks that the current value is different than the previous.
Check this in the documentation: Rules Syntax

It is the opposite setting of same_field. The value of the dynamic field specified in this option must be different than the ones found in previous events a frequency number of times within the required timeframe.

I hope this information could be helpful for you.

Ranjith Kesavan

unread,
Nov 26, 2021, 4:58:40 AM11/26/21
to Wazuh mailing list
Hello Dario, 

Thanks for Clarifying this. Do we have any option in Wazuh to alert on X number of unique ports that you can think of ? As this is one of the most common use cases, I hope someone would have found a way around for this. 

Ranjith Kesavan

unread,
Dec 2, 2021, 10:16:57 AM12/2/21
to Wazuh mailing list

Hello Team, 

Can someone help with this ? Please let me know if there is anyway to make this work.

Dario Menten

unread,
Dec 28, 2021, 1:11:52 PM12/28/21
to Wazuh mailing list

Hello Ranjith,
My apologies, I did not see your response on time.
What you are looking for is not available right now and it makes totally sense, so I suggest you raise a feature request in our Github to evaluate the possibility of applying it.
You can do this through this link: Feature Request
I hope this is helpful.

Reply all
Reply to author
Forward
0 new messages