Need help detecting port/network scans from FTD firewall logs

[areeeba fatima]

Wazuh version:  v 4.12.0

What I'm trying to do

Detect port scans and network scans from Cisco FTD firewall deny/block logs.

My setup

• Firewall logs: %FTD-1-430002 with Action: Block

• Rule 100006 fires on every block (confirmed working)

• Logs have fields: data.srcip, data.dstip, data.dstport

Block (logs)

• 
  

• 
  

Deny (logs)

The rules I tried (not working)

Port scan detection (same src IP, same dst IP, different ports):

<rule id="100901" level="14" frequency="5" timeframe="90"> <if_matched_sid>100006</if_matched_sid> <same_field>data.srcip</same_field> <same_field>data.dstip</same_field> <different_field>data.dstport</different_field> <description>Port scan from $(data.srcip) to $(data.dstip)</description> </rule>

Network scan detection (same src IP, different dst IPs):

<rule id="100902" level="14" frequency="5" timeframe="90"> <if_matched_sid>100006</if_matched_sid> <same_field>data.srcip</same_field> <different_field>data.dstip</different_field> <description>Network scan from $(data.srcip)</description> </rule>

Others:

<rule id="100903" level="15" frequency="3" timeframe="60" ignore="60">
  <if_matched_sid>100006</if_matched_sid>
  <same_field>data.srcip</same_field>
  <description>Possible scan detected - Multiple blocks from $(data.srcip) in 60 seconds</description>
  <group>scan,suspicious,attack</group>
</rule>

Others:

<group name="cisco,ftd,scan_detection,">

  <rule id="100903" level="15" frequency="3" timeframe="60" ignore="60">
    <if_matched_sid>100006</if_matched_sid>
    <same_source_ip />
    <description>Possible scan detected - Multiple blocks from $(data.srcip) in 60 seconds</description>
    <group>scan,suspicious,attack,</group>
  </rule>

</group> The problem

1. Rule 100006 fires correctly for each event
2. However, none of the correlation rules (100901, 100902, 100903) are triggering
3. No alerts are generated for these rules

What I need

A simple, working rule to detect:

• Same IP hitting multiple ports on same destination (port scan)

• Same IP hitting multiple destination IPs (network scan)

My Question

• Is there something wrong with using <same_field> and <different_field> for these use cases?
• Or is there a better/recommended way in Wazuh to detect:

1.  Port scans (same IP, multiple ports)
2. Network scans (same IP, multiple destination IPs)

[Olamilekan Abdullateef Ajani]

Hello,

The issue may lie with the fields and how they are being called in your correlation rules. I tried the below rule as a test and got an accurate result.

<rule id="100903" level="12" frequency="4" timeframe="60">
  <if_matched_sid>5715</if_matched_sid>
  <same_source_ip />
  <same_srcport />
  <different_srcport />
  <description>Possible scan - multiple connection attempts from $(srcip)</description>
  <group>scan,suspicious,</group>
</rule>

I noticed in your rule you referenced data.srcip from a snippet on the screenshot shared, I saw srcip. If there are inaccuracies, it may affect the outcome of the custom rules written.

That said, can you please share a sample log from the archive.json file for further testing and evaluation? That would help understand how the logs are ingested and see the fields evaluated.

My recommended approach will be to use the default field preferences as defined above. Please refer to this documentation to set archives and extract the complete log line for reference.

Ref:

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

[areeeba fatima]

Thank you for your response.

Here is a sample raw log from my archives.log:

Raw Archives Log

root@pklhr-wazuh:~# grep "FTD-session-4-106023" /var/ossec/logs/archives/archives.log | tail -10
2026 Apr 10 20:28:44 10.40.1.150->/var/log/syslog-logs/10.40.1.150/output.log 2026-04-10T20:28:25.612944+05:00 10.40.1.150 : Apr 10 15:28:25 UTC: %FTD-session-4-106023: Deny tcp src inside:10.40.230.218/20853 dst PDC-SBP-RAAST:192.168.250.20/23432 by access-group "CSM_FW_ACL_" [0x97aa021a, 0x0]
2026 Apr 10 20:28:47 10.40.1.150->/var/log/syslog-logs/10.40.1.150/output.log 2026-04-10T20:28:27.874607+05:00 10.40.1.150 : Apr 10 15:28:27 UTC: %FTD-session-4-106023: Deny tcp src inside:10.40.230.218/20857 dst PDC-SBP-RAAST:192.168.250.20/23432 by access-group "CSM_FW_ACL_" [0x97aa021a, 0x0]
2026 Apr 10 20:28:47 10.40.1.150->/var/log/syslog-logs/10.40.1.150/output.log 2026-04-10T20:28:27.894359+05:00 10.40.1.150 : Apr 10 15:28:27 UTC: %FTD-session-4-106023: Deny tcp src inside:10.40.230.218/20858 dst PDC-SBP-RAAST:192.168.250.20/23432 by access-group "CSM_FW_ACL_" [0x97aa021a, 0x0]
2026 Apr 10 20:28:49 10.40.1.150->/var/log/syslog-logs/10.40.1.150/output.log 2026-04-10T20:28:30.883226+05:00 10.40.1.150 : Apr 10 15:28:30 UTC: %FTD-session-4-106023: Deny tcp src inside:10.40.230.218/20857 dst PDC-SBP-RAAST:192.168.250.20/23432 by access-group "CSM_FW_ACL_" [0x97aa021a, 0x0]
2026 Apr 10 20:28:49 10.40.1.150->/var/log/syslog-logs/10.40.1.150/output.log 2026-04-10T20:28:30.898965+05:00 10.40.1.150 : Apr 10 15:28:30 UTC: %FTD-session-4-106023: Deny tcp src inside:10.40.230.218/20858 dst PDC-SBP-RAAST:192.168.250.20/23432 by access-group "CSM_FW_ACL_" [0x97aa021a, 0x0]
2026 Apr 10 20:28:50 10.40.1.150->/var/log/syslog-logs/10.40.1.150/output.log 2026-04-10T20:28:31.624636+05:00 10.40.1.150 : Apr 10 15:28:31 UTC: %FTD-session-4-106023: Deny tcp src inside:10.40.230.218/20853 dst PDC-SBP-RAAST:192.168.250.20/23432 by access-group "CSM_FW_ACL_" [0x97aa021a, 0x0]

Raw Archives Log

root@pklhr-wazuh:~# grep "FTD-1-430002" /var/ossec/logs/archives/archives.log | tail -10

2026 Apr 10 20:28:43 10.40.1.150->/var/log/syslog-logs/10.40.1.150/output.log 2026-04-10T15:28:24+05:00 10.40.1.150  : %FTD-1-430002: EventPriority: Low, DeviceUUID: 8b35349c-c9e6-11ee-8a48-cc41097683c6, InstanceID: 1, FirstPacketSecond: 2026-04-10T15:28:24Z, ConnectionID: 60326, AccessControlRuleAction: Allow, SrcIP: 10.50.126.69, DstIP: 52.44.34.19, SrcPort: 63578, DstPort: 443, Protocol: tcp, IngressInterface: inside, EgressInterface: Bkup-Wateen, IngressZone: inside, EgressZone: Bkup-Wateen, IngressVRF: Global, EgressVRF: Global, ACPolicy: FINCA-INT-ACP, AccessControlRuleName: BRANCH's-URLs, Prefilter Policy: PDC-PreFilter-Policy, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Trend Micro, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 691, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, SSLPolicy: None, SSLFlowStatus: Success, SSLCipherSuite: Unknown, SSLCertificate: 4841b1641caedd674491a8c0a2ede07db907bdb3, SSLVersion: Unknown, SSLServerCertStatus: Valid, SSLActualAction: Do Not Decrypt, SSLExpectedAction: Do Not Decrypt, URLCategory: Branches_Exception, URLReputation: Unknown, URL: https://api-us1.xbc.trendmicro.com, NAT_InitiatorPort: 63578, NAT_ResponderPort: 443, NAT_InitiatorIP: 58.27.201.38, NAT_ResponderIP: 52.44.34.19, ClientAppDetector: AppID
2026 Apr 10 20:28:43 10.40.1.150->/var/log/syslog-logs/10.40.1.150/output.log 2026-04-10T15:28:24+05:00 10.40.1.150  : %FTD-1-430002: EventPriority: Low, DeviceUUID: 8b35349c-c9e6-11ee-8a48-cc41097683c6, InstanceID: 2, FirstPacketSecond: 2026-04-10T15:28:24Z, ConnectionID: 43045, AccessControlRuleAction: Allow, SrcIP: 10.50.50.71, DstIP: 150.171.27.11, SrcPort: 64097, DstPort: 443, Protocol: tcp, IngressInterface: inside, EgressInterface: Bkup-Wateen, IngressZone: inside, EgressZone: Bkup-Wateen, IngressVRF: Global, EgressVRF: Global, ACPolicy: FINCA-INT-ACP, AccessControlRuleName: BRANCH's-Applications, Prefilter Policy: PDC-PreFilter-Policy, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft, InitiatorPackets: 4, ResponderPackets: 1, InitiatorBytes: 1988, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, SSLPolicy: None, SSLFlowStatus: Success, SSLCipherSuite: Unknown, SSLCertificate: f9b130c894e5e2630073022dc3aaceef8bf4a13e, SSLVersion: Unknown, SSLServerCertStatus: Valid, SSLActualAction: Do Not Decrypt, SSLExpectedAction: Do Not Decrypt, URL: https://edge.microsoft.com, NAT_InitiatorPort: 64097, NAT_ResponderPort: 443, NAT_InitiatorIP: 58.27.201.38, NAT_ResponderIP: 150.171.27.11, ClientAppDetector: AppID
2026 Apr 10 20:28:43 10.40.1.150->/var/log/syslog-logs/10.40.1.150/output.log 2026-04-10T15:28:23+05:00 10.40.1.150  : %FTD-1-430002: EventPriority: Low, DeviceUUID: 8b35349c-c9e6-11ee-8a48-cc41097683c6, InstanceID: 2, FirstPacketSecond: 2026-04-10T15:28:23Z, ConnectionID: 43009, AccessControlRuleAction: Allow, SrcIP: 10.50.58.73, DstIP: 54.86.253.105, SrcPort: 56318, DstPort: 443, Protocol: tcp, IngressInterface: inside, EgressInterface: Bkup-Wateen, IngressZone: inside, EgressZone: Bkup-Wateen, IngressVRF: Global, EgressVRF: Global, ACPolicy: FINCA-INT-ACP, AccessControlRuleName: BRANCH's-URLs, Prefilter Policy: PDC-PreFilter-Policy, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Trend Micro, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 691, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, SSLPolicy: None, SSLFlowStatus: Success, SSLCipherSuite: Unknown, SSLCertificate: 4841b1641caedd674491a8c0a2ede07db907bdb3, SSLVersion: Unknown, SSLServerCertStatus: Valid, SSLActualAction: Do Not Decrypt, SSLExpectedAction: Do Not Decrypt, URLCategory: Branches_Exception, URLReputation: Unknown, URL: https://api-us1.xbc.trendmicro.com, NAT_InitiatorPort: 56318, NAT_ResponderPort: 443, NAT_InitiatorIP: 58.27.201.38, NAT_ResponderIP: 54.86.253.105, ClientAppDetector: AppID
2026 Apr 10 20:28:43 10.40.1.150->/var/log/syslog-logs/10.40.1.150/output.log 2026-04-10T15:28:24+05:00 10.40.1.150  : %FTD-1-430002: EventPriority: Low, DeviceUUID: 8b35349c-c9e6-11ee-8a48-cc41097683c6, InstanceID: 2, FirstPacketSecond: 2026-04-10T15:28:24Z, ConnectionID: 43029, AccessControlRuleAction: Allow, SrcIP: 10.40.241.135, DstIP: 172.30.0.68, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: inside, EgressInterface: DMZ, IngressZone: inside, EgressZone: DMZ, IngressVRF: Global, EgressVRF: Global, ACPolicy: FINCA-INT-ACP, AccessControlRuleName: INSIDE-DMZ-ADMIN-ACCESS, Prefilter Policy: PDC-PreFilter-Policy, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 74, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, NAT_InitiatorPort: 8, NAT_InitiatorIP: 10.40.241.135, NAT_ResponderIP: 172.30.0.68, ClientAppDetector: AppID
2026 Apr 10 20:28:43 10.40.1.150->/var/log/syslog-logs/10.40.1.150/output.log 2026-04-10T15:28:23+05:00 10.40.1.150  : %FTD-1-430002: EventPriority: Low, DeviceUUID: 8b35349c-c9e6-11ee-8a48-cc41097683c6, InstanceID: 1, FirstPacketSecond: 2026-04-10T15:28:23Z, ConnectionID: 60280, AccessControlRuleAction: Allow, SrcIP: 172.30.0.144, DstIP: 10.40.242.35, SrcPort: 43530, DstPort: 3306, Protocol: tcp, IngressInterface: DMZ, EgressInterface: inside, IngressZone: DMZ, EgressZone: inside, IngressVRF: Global, EgressVRF: Global, ACPolicy: FINCA-INT-ACP, AccessControlRuleName: DMZ-TO-INSIDE, Prefilter Policy: PDC-PreFilter-Policy, Client: MySQL client, ApplicationProtocol: MySQL, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 140, ResponderBytes: 253, NAPPolicy: Balanced Security and Connectivity, NAT_InitiatorPort: 43530, NAT_ResponderPort: 3306, NAT_InitiatorIP: 172.30.0.144, NAT_ResponderIP: 10.40.242.35, ClientAppDetector: AppID
2026 Apr 10 20:28:43 10.40.1.150->/var/log/syslog-logs/10.40.1.150/output.log 2026-04-10T15:28:24+05:00 10.40.1.150  : %FTD-1-430002: EventPriority: Low, DeviceUUID: 8b35349c-c9e6-11ee-8a48-cc41097683c6, InstanceID: 1, FirstPacketSecond: 2026-04-10T15:28:24Z, ConnectionID: 60351, AccessControlRuleAction: Allow, SrcIP: 10.40.1.19, DstIP: 8.8.8.8, SrcPort: 52989, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: PDC-OUTSIDE, IngressZone: inside, EgressZone: PDC-OUTSIDE, IngressVRF: Global, EgressVRF: Global, ACPolicy: FINCA-INT-ACP, AccessControlRuleName: DNS-SERVER-1-INTERNET, Prefilter Policy: PDC-PreFilter-Policy, Client: DNS, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 92, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, NAT_InitiatorPort: 52989, NAT_ResponderPort: 53, NAT_InitiatorIP: 103.215.112.170, NAT_ResponderIP: 8.8.8.8, ClientAppDetector: AppID

My Custom FTD Rule

[Olamilekan Abdullateef Ajani]

Hello again,

As I suspected earlier, the issue is from the field mappings you have. The use of data preceding any field is not allowed  data.srcip. You can make use of the sample rule below and it will work per your use case. I tested it with the sample log you shared and you can also see the results attached.

<rule id="100903" level="12" frequency="4" timeframe="60" ignore="60">

  <if_matched_sid>100006</if_matched_sid>
  <same_source_ip />

  <same_dstip />
  <different_dstport />

  <description>Possible scan - multiple connection attempts from $(srcip)</description>
  <group>scan,suspicious,</group>
</rule>

That said, please note that the use of "ignore" means the rule is ignored after a match for the number of seconds specified.

You can find more configurable options in the documentation below.

Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

[areeeba fatima]

Thank you for your response.

I tried the rule you shared, but it is still not triggering. Rule 100006 is firing correctly, but the correlation rule based on it is not working.

I suspect it might be due to the dependency chain (100005 → 100006) or possibly field matching or frequency conditions not being met.

Also, I noticed that firedtimes is incrementing for rule 100006, but it seems the correlation rule is not picking it up.

I would appreciate your insight on whether I should: