SIEM query for Port Scan detection using CHATGPT, this specific technology helps the security team to build some base line detection rule for multiple attacks. we have generated three different detection rules for different SIEM tools like [SPLUNK. ELK & LogRhythm].
Port Scan Detection:
Generally port scan is an commonly used technique by adversaries to detected an vulnerable open ports at the targeted servers.
A basic port scanning technique that sends a sequence of packets to each of the 65,536 ports simultaneously. which involves a three-way handshake using an SYN flag, SYN-ACK response, and an ACK flag to determine vulnerable services.
Detecting port Scan:
The below listed SIEM query basically checks the three way handshake of the TCP Connection, an port scan generally has an combination of SYN packet (used to initiate a TCP connection) with the ACK flag unset, or a FIN packet (used to close a TCP connection) with the ACK flag set.
These packet combinations are commonly used in port scans and could indicate an attempt to probe your system for vulnerabilities.
SIEM Rule
Port Scan detection rule on Elastic Stack [ELK]
{
"query": {
"bool": {
"should": [
{
"bool": {
"must": [
{ "match": { "tcp.flags.syn": 1 } },
{ "match": { "tcp.flags.ack": 0 } }
]
}
},
{
"bool": {
"must": [
{ "match": { "tcp.flags.fin": 1 } },
{ "match": { "tcp.flags.ack": 1 } }
]
}
}
]
}
}
}
Port Scan detection rule for SPLUNK
sourcetype=tcp [search sourcetype=tcp (tcp.flags.syn=1 AND tcp.flags.ack=0) OR (tcp.flags.fin=1 AND tcp.flags.ack=1)] | stats count by src_ip, dest_ip | where count > 100
Port Scan detection rule for LogRhythm
IF (tcp.flags.syn == 1 AND tcp.flags.ack == 0) OR (tcp.flags.fin == 1 AND tcp.flags.ack == 1) THEN ALERT('Possible port scan detected')
Note: CHATGPT helps us only creating some baseline rule, it required lots of hardening and finetuning process
Comments