2 Replies Latest reply on Jul 9, 2014 9:37 AM by valkyrja

    Question on Rules Creation & Notification Timing

    valkyrja

      One of my clients requested a rule to alert if anyone starts scanning on a particular TCP port from the outside. They collect logs from a number of perimeter devices and asked for a threshhold of 10 unique IPs being scanned by a single source.

       

      I setup the rule to look at:

      TCPTrafficAudit.DestinationPort= <application Port number>

      AND

      TCPTrafficAudit.Protocol=TCP

       

      Correlation Time:

      10 Events within 60 seconds

      Response Window: 5 minutes

       

      Advanced Threshhold:

      TCPTrafficAudit.SourceMachine - Same

      TCPTrafficAudit.DestinationMachine - Distinct

       

      With so many people out there scanning network addresses often for popular applications I imagine this rule will probably be firing quite a bit. Is there anyway to make sure that it only fires once per (day/hour) for a single unique source IP? Would setting the Re-Infer (TOT) mean that all additional unique IPs that also scan for this port during the time be missed? IE first bad actor scans 10 unique IPs, alert fires. second bad actor scans 10 minutes later, alert should fire. If the Re-Infer (TOT) was set to 15 minutes would I miss the second instance?

       

      Thank you for any tips, tricks, or feedback.

        • Re: Question on Rules Creation & Notification Timing
          HolyGuacamole

          First of all, if you think 10 unique events in 60 seconds will fire too many rules, you should consider increasing that event count to be greater than 10 for a true representation of abnormal activity

           

          To answer your question for your rule definition, each unique source machine that matches the correlation criteria should result in a correlation rule being fired. So, if your second 'bad actor' ( I am assuming you mean source machine here) is a different IP than the first 'bad actor', it should result in another rule being fired. However, it should not trigger any action for 15 minutes for the same source IP even though you may see 10 events in a rolling time frame of 60 seconds

           

          From the admin guide

           

          Open the Set Advanced Thresholds form.

          2. Select the Re-Infer (TOT) check box if you want to define a second threshold. Then

          use the adjacent fields to type or select the threshold’s time interval and unit of

          measure.

          The Re-Infer (TOT) option defines the period in which an alert must remain above the

          threshold before the system issues a new notification and/or active response.

          For example, suppose an alert has exceeded the threshold, and the alert’s Re-Infer

          (TOT) period is 1 Hour. If the alert stays above the threshold for more than 1 hour, the

          system will issue an additional notification or active response at the end of 1 hour

            • Re: Question on Rules Creation & Notification Timing
              valkyrja

              Adjusting the threshold is part of the discovery process. Each client has a different level of exposed threat space. After letting it run for 12 hours I did up the threshold for one common application port but not the others. The good thing about the scans is that they are only taking less than a minute so the rule only fires once during that time.

               

              i.e. the scan actually hit 500 addresses in 45 seconds and only one alert email is sent.

               

              So with Re-Infer, it treats each firing of the rule as its own instance? Exactly what I was hoping.

               

              Thank you for the reply.