search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
7.99k stars 1.74k forks source link

Port Scan Detection #1615

Open seclyn opened 6 years ago

seclyn commented 6 years ago

Hello - I've been trying extensively on this. I'd like to alert when an external source hits more than 25 unique ports on the firewall, with the goal being to detect port scans. I assume based on this I need the cardinality rule ( I did try a change rule as well).

However, when the rule runs even though I have it set to max = 25 over 5 minutes, but for example, it's triggering on 5 events, all the same destination_port and pretty much fires non-stop. But again, researching the events the port isn't changing, or at least not 25 times. I'm sure I'm overlooking something, but any help would be appreciated.

` es_host: elasticsearch es_port: 9200 name: "Vulnerability Scanning Detected" alert_subject: "Vulnerability Scanning Detected SRC: {0}" alert_subject_args:

sathishdsgithub commented 6 years ago

@seclyn

Use aggregation_key to get single email

seclyn commented 6 years ago

Would that not just send me an e-mail of all source IP triggering the alert? I think the logic in my rules is already incorrect. If it's triggering on 4 events from a single IP against port 443, that seems wrong? Shouldn't it be a single IP with 25+ events against 25+ unique ports?

AndreLouisCaron commented 6 years ago

@seclyn I think there is a missing AND before the NOT in the query. That might make the query return more results than you expect it to, explaining why the alert is triggered too often?

Also, it might help if you could indent the YAML document so that we can read it more easily.

sathishdsgithub commented 6 years ago

@seclyn I use the below logic for port scan activity and it works fine for me. 


timeframe:
    minutes: 5

query_key: [source_ip, destination_ip]
cardinality_field: "destination_port"
max_cardinality: 25

filter:
   query:
       query_string:
             query: "event_type: firewall AND tags: "external_source" NOT source_port: ("443" OR "80")"

aggregation_key: source_ip

aggregation:

   minutes: 10
2nutz4u commented 5 years ago

@sathishdsgithub I am new to elk stack. I have setup elastiflow. I would like to setup port detection and get alerted. How do I go about utilizing the logic you have provided? Thank you.