Scan Detection Bundle

bundle

#1

####Bundle details and download

https://www.extrahop.com/community/bundles/cshaw/scan-detection-bundle/

####Description

This bundle provide insight into potential instances of network and port scanning by analyzing commonly used protocols and behavior patterns. The reachability and service scans that this bundle attempts to find can be indicative of an upcoming, more targeted network attack, so the early warning that these metrics provide can help you find problems before they become critical.


#2

Nice work @cshaw!


#3

Is there a way to exclude certain IPs? I tried adding this to the TCP Port Scans trigger with one of our IPs in it, but it didn’t work.

var IP_IGNORE_LIST = ’ '];
// IPs we want to ignore

if ( IP_IGNORE_LIST.indexOf(MetricRecord.object.ipaddrs[0]) > -1) {
return;
}


#4

I’ve got some TCP Scans by Destination IPs showing up on the dashboard, but the TCP Scans by Source is blank. Anyone seen this?


#5

Is there a way to get an alert set up if we see scans from IP ranges we would not normally see??