Today, I am going to walkthrough some of the monitoring techniques that could be used within splunk to watch out for port scanning and malicious smtp traffic within firewall logs.
· Port Scan detection (i.e. a single source to a single destination, on multiple dst_ports in a given time)
…|earliest=-15m@m latest=-5m@m| bin _time span=1m | stats dc(dest_port) as port_count by src_ip, dest_ip _time | where port_count > 100
- · Port Sweep detection (i.e. single source to multiple destinations on a single port in a given time)
…|earliest=-15m@m latest=-5m@m| bin _time span=1m | stats dc(dest_ip) as multiple_dest by src_ip, dest_port _time | where multiple_dest > 100
- · Multiple dropped/blocked connection attempts on high ports (over 1024) within a certain timeframe
…|dest_port>1024 (action="blocked" OR action="deny*" OR action="drop*") earliest=-15m@m latest=-5m@m| bin _time span=1m | stats count by src_ip, dest_port | where count > 100
- · Detection of anything on dst_port 6667
… dest_port=6667 | stats count by src_ip, dest_ip, action, dest_port
- · Known malicious port activity
…….dest_port=666 OR dest_port=1001 OR dest_port=1011 OR dest_port=1170 OR dest_port=1234 OR dest_port=1245 OR dest_port=1492 OR dest_port=1600 OR dest_port=1807 OR dest_port=1981 OR dest_port=1999 OR dest_port=2001 OR dest_port=2023 OR dest_port=2115 OR dest_port=2140 OR dest_port=2801 OR dest_port=30129 OR dest_port=3700 OR dest_port=4092 OR dest_port=4590 OR dest_port=4156 | chart count by dest_port
Additionally, monitoring outbound email traffic, regardless of whether the traffic is allowed or blocked by the firewall, is a highly effective method for detecting compromised hosts its important to keep an eye out for a massive amount of SMTP outbound traffic
Also,monitor any outbound traffic destined for port 25. However, be sure to exclude valid SMTP senders such as mail servers, web servers which email forms and vulnerability scanners..
Part two with more detail will continue.