• State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 22 subscribers
  • Views 354 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Question on Rules Creation & Notification Timing

valkyrja

One of my clients requested a rule to alert if anyone starts scanning on a particular TCP port from the outside. They collect logs from a number of perimeter devices and asked for a threshhold of 10 unique IPs being scanned by a single source.

I setup the rule to look at:

TCPTrafficAudit.DestinationPort= <application Port number>

AND

TCPTrafficAudit.Protocol=TCP

Correlation Time:

10 Events within 60 seconds

Response Window: 5 minutes

Advanced Threshhold:

TCPTrafficAudit.SourceMachine - Same

TCPTrafficAudit.DestinationMachine - Distinct

With so many people out there scanning network addresses often for popular applications I imagine this rule will probably be firing quite a bit. Is there anyway to make sure that it only fires once per (day/hour) for a single unique source IP? Would setting the Re-Infer (TOT) mean that all additional unique IPs that also scan for this port during the time be missed? IE first bad actor scans 10 unique IPs, alert fires. second bad actor scans 10 minutes later, alert should fire. If the Re-Infer (TOT) was set to 15 minutes would I miss the second instance?

Thank you for any tips, tricks, or feedback. emoticons_happy.png

  • 0

    First of all, if you think 10 unique events in 60 seconds will fire too many rules, you should consider increasing that event count to be greater than 10 for a true representation of abnormal activity

    To answer your question for your rule definition, each unique source machine that matches the correlation criteria should result in a correlation rule being fired. So, if your second 'bad actor' ( I am assuming you mean source machine here) is a different IP than the first 'bad actor', it should result in another rule being fired. However, it should not trigger any action for 15 minutes for the same source IP even though you may see 10 events in a rolling time frame of 60 seconds

    From the admin guide

    Open the Set Advanced Thresholds form.

    2. Select the Re-Infer (TOT) check box if you want to define a second threshold. Then

    use the adjacent fields to type or select the threshold’s time interval and unit of

    measure.

    The Re-Infer (TOT) option defines the period in which an alert must remain above the

    threshold before the system issues a new notification and/or active response.

    For example, suppose an alert has exceeded the threshold, and the alert’s Re-Infer

    (TOT) period is 1 Hour. If the alert stays above the threshold for more than 1 hour, the

    system will issue an additional notification or active response at the end of 1 hour

  • 0 in reply to HolyGuacamole

    Adjusting the threshold is part of the discovery process. Each client has a different level of exposed threat space. After letting it run for 12 hours I did up the threshold for one common application port but not the others. The good thing about the scans is that they are only taking less than a minute so the rule only fires once during that time.

    i.e. the scan actually hit 500 addresses in 45 seconds and only one alert email is sent.

    So with Re-Infer, it treats each firing of the rule as its own instance? Exactly what I was hoping.

    Thank you for the reply.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.