Reconnaissance
Use the IBM Security QRadar Reconnaissance Content Extension for focus on reconnaissance events and detection.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar Reconnaissance Content Extension 1.0.3
The following table shows the rules and building blocks that are updated in IBM Security QRadar Reconnaissance Content Extension 1.0.3.
| Name | Description |
|---|---|
| BB:ReconDetected: Devices That Merge Recon into Single Events | Changed to last condition to "and when an event matches any of the following BB:DeviceDefinition: IDS / IPS" from "and when the event(s) were detected by one or more of the TippingPoint Intrusion Prevention System (IPS)". |
| Remote ICMP Scanner | Removed rule condition: “and NOT when a flow or an event matches any of the following Remote Database Scanner, Remote DHCP Scanner, Remote FTP Scanner, Remote Game Server Scanner, Remote IM Server Scanner, Remote IRC Server Scanner, Remote LDAP Server Scanner, Remote Mail Server Scanner, Remote P2P Scanner, Remote Proxy Server Scanner, Remote RPC Server Scanner, Remote SNMP Scanner, Remote SSH Server Scanner, Remote Web Server Scanner, Remote Windows Server Scanner”. |
The following rules and building blocks are removed in IBM Security QRadar Reconnaissance Content Extension 1.0.3 because they are now included in IBM Security QRadar by default.
- BB:CategoryDefinition: Recon Event Categories
- BB:CategoryDefinition: Recon Events
- BB:CategoryDefinition: Recon Flows
- BB:CategoryDefinition: Suspicious Event Categories
- BB:CategoryDefinition: Suspicious Events
- BB:CategoryDefinition: Suspicious Flows
- BB:CategoryDefinition: Unidirectional Flow
- BB:CategoryDefinition: Unidirectional Flow DST
- BB:CategoryDefinition: Unidirectional Flow SRC
- BB:Flowshape: Inbound Only
- BB:Flowshape: Outbound Only
- BB:HostDefinition: Database Servers
- BB:HostDefinition: DHCP Servers
- BB:HostDefinition: DNS Servers
- BB:HostDefinition: FTP Servers
- BB:HostDefinition: LDAP Servers
- BB:HostDefinition: Mail Servers
- BB:HostDefinition: Network Management Servers
- BB:HostDefinition: Proxy Servers
- BB:HostDefinition: RPC Servers
- BB:HostDefinition: Servers
- BB:HostDefinition: SNMP Sender or Receiver
- BB:HostDefinition: SSH Servers
- BB:HostDefinition: Virus Definition and Other Update Servers
- BB:HostDefinition: Web Servers
- BB:HostDefinition: Windows Servers
- BB:HostReference: Database Servers
- BB:HostReference: DHCP Servers
- BB:HostReference: DNS Servers
- BB:HostReference: FTP Servers
- BB:HostReference: LDAP Servers
- BB:HostReference: Mail Servers
- BB:HostReference: Proxy Servers
- BB:HostReference: SSH Servers
- BB:HostReference: Web Servers
- BB:HostReference: Windows Servers
- BB:NetworkDefinition: Honeypot like Addresses
- BB:PortDefinition: Database Ports
- BB:PortDefinition: DHCP Ports
- BB:PortDefinition: DNS Ports
- BB:PortDefinition: FTP Ports
- BB:PortDefinition: Game Server Ports
- BB:PortDefinition: IM Ports
- BB:PortDefinition: IRC Ports
- BB:PortDefinition: LDAP Ports
- BB:PortDefinition: P2P Ports
- BB:PortDefinition: Proxy Ports
- BB:PortDefinition: RPC Ports
- BB:PortDefinition: SNMP Ports
- BB:PortDefinition: SSH Ports
- BB:PortDefinition: Windows Ports
- BB:ProtocolDefinition: Windows Protocols
- BB:Threats: Port Scans: Host Scans
- BB:Threats: Port Scans: UDP Port Scan
- BB:Threats: Scanning: Empty Responsive Flows High
- BB:Threats: Scanning: Empty Responsive Flows Low
- BB:Threats: Scanning: Empty Responsive Flows Medium
- BB:Threats: Scanning: ICMP Scan High
- BB:Threats: Scanning: ICMP Scan Low
- BB:Threats: Scanning: ICMP Scan Medium
- BB:Threats: Scanning: Potential Scan
- BB:Threats: Scanning: Scan High
- BB:Threats: Scanning: Scan Low
- BB:Threats: Scanning: Scan Medium
- BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination
- BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets
- BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets
- BB:Threats: Suspicious IP Protocol Usage: Long Duration Outbound Flow
- BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code
- BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0
- BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows
- BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Replys
- BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows
- BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows
- BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows
- Local L2L Database Scanner
- Local L2L FTP Scanner
- Local L2L IRC Server Scanner
- Local L2L LDAP Server Scanner
- Local L2L SSH Server Scanner
- Local L2L Suspicious Probe Events Detected
- Local L2R Database Scanner
- Local L2R FTP Scanner
- Local L2R IRC Server Scanner
- Local L2R LDAP Server Scanner
- Local L2R RPC Server Scanner
- Local L2R SSH Server Scanner
- Remote Database Scanner
- Remote FTP Scanner
- Remote IRC Server Scanner
- Remote LDAP Server Scanner
- Remote Proxy Server Scanner
- Remote RPC Server Scanner
- Remote SSH Server Scanner
- Remote Windows Server Scanner
IBM Security QRadar Reconnaissance Content Extension 1.0.2
The following table shows the building blocks that are updated in IBM Security QRadar Reconnaissance Content Extension 1.0.2.
| Name | Description |
|---|---|
| BB:HostDefinition: Proxy Servers | Added BB:PortDefinition: Proxy Ports to the rule test. |
| BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination | Removed rule condition: "and when the flow type is one of these flow types." |
| BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code | Removed rule condition: "and when the flow type is one of these flow types." |
| BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0 | Removed rule condition: "and when the flow type is one of these flow types." |
| BB:CategoryDefinition: Unidirectional Flow SRC | |
| BB:Flowshape: Outbound Only | Matches flows that are outbound only. |
| BB:CategoryDefinition: Recon Event Categories | Edit this building block to include all events that indicate reconnaissance activity. |
| BB:CategoryDefinition: Suspicious Event Categories | Edit this building block to include all events that indicate suspicious activity. |
| BB:Threats: Scanning: ICMP Scan Low | Identifies a low level of ICMP reconnaissance. |
| BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows | Identifies bidirectional traffic that doesn't include payload. |
| BB:Threats: Scanning: Scan High | Identifies a high level of potential reconnaissance. |
| BB:CategoryDefinition: Unidirectional Flow | |
| BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Replys | Identifies traffic where ICMP replies are seen with no request. |
| BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows | Identifies unidirectional ICMP flows. |
| BB:Flowshape: Inbound Only | Matches flows that are inbound only. |
| BB:NetworkDefinition: Honeypot like Addresses | Edit this building block by replacing the other network with the network objects defined in
your network hierarchy that aren’t currently used in your network or that are used in a honeypot or
tarpit installation. After these are defined, you must enable the Anomaly: Potential Honeypot Access rule. To generate events based on attempted access, you must also add a security/policy sentry to these network objects. |
| BB:CategoryDefinition: Recon Flows | Edit this building block to include all events that indicate suspicious activity. |
| BB:Threats: Port Scans: UDP Port Scan | Identifies UDP based port scans. |
| BB:Threats: Scanning: ICMP Scan Medium | Identifies a medium level of ICMP reconnaissance. |
| BB:Threats: Scanning: Empty Responsive Flows Low | Detects potential reconnaissance activity where the source packet count is greater than 500. |
| BB:CategoryDefinition: Suspicious Flows | Edit this building block to include all events that indicate suspicious activity. |
| BB:CategoryDefinition: Suspicious Events | Edit this building block to include all events that indicate suspicious activity. |
| BB:Threats: Suspicious IP Protocol Usage: Long Duration Outbound Flow | Identifies flows that have been active for more than 48 hours. |
| BB:Threats: Scanning: Empty Responsive Flows Medium | Detects potential reconnaissance activity where the source packet count is greater than 5,000. |
| BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets | Identifies flows with abnormally large ICMP packets. |
| BB:Threats: Scanning: ICMP Scan High | Identifies a high level of ICMP reconnaissance. |
| BB:Threats: Port Scans: Host Scans | Identifies potential reconnaissance by flows. |
| BB:Threats: Scanning: Scan Medium | Identifies a medium level of potential reconnaissance. |
| BB:Threats: Scanning: Scan Low | Identifies a low level of potential reconnaissance. |
| BB:CategoryDefinition: Recon Events | Edit this building block to include all events that indicate reconnaissance activity. |
| BB:Threats: Scanning: Potential Scan | Identifies potential reconnaissance by flows. |
| BB:CategoryDefinition: Unidirectional Flow DST | |
| BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows | Identifies unidirectional TCP flows. |
| BB:Threats: Scanning: Empty Responsive Flows High | Detects potential reconnaissance activity where the source packet count is greater than 100,000. |
| BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets | Identifies flows with abnormally large DNS packets. |
| BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows | Identifies unidirectional UDP and other miscellaneous flows. |
| BB:Suspicious: Remote: Unidirectional UDP or Misc Flows | Detects an excessive number of unidirectional UDP and miscellaneous flows that are from a single source. |
| BB:Suspicious: Local: Unidirectional UDP or Misc Flows | Detects an excessive number of unidirectional UDP and miscellaneous flows that are from a single source. |
IBM Security QRadar Reconnaissance Content Extension 1.0.0
The following reference sets were added in IBM Security QRadar Reconnaissance Content Extension 1.0.0.
- Database Servers
- DHCP Servers
- DNS Servers
- FTP Servers
- LDAP Servers
- Mail Servers
- Proxy Servers
- SSH Servers
- Web Servers
- Windows Servers
The following rules building blocks were added in IBM Security QRadar Reconnaissance Content Extension 1.0.0.
| Type | Name | Description |
|---|---|---|
| Building Block | BB:CategoryDefinition: Recon Event Categories | Edit this building block to include all events that indicate reconnaissance activity. |
| Building Block | BB:CategoryDefinition: Recon Events | Edit this building block to include all events that indicate reconnaissance activity. |
| Building Block | BB:CategoryDefinition: Recon Flows | Edit this building block to include all events that indicate suspicious activity. |
| Building Block | BB:CategoryDefinition: Suspicious Event Categories | Edit this building block to include all events that indicate suspicious activity. |
| Building Block | BB:CategoryDefinition: Suspicious Events | Edit this building block to include all events that indicate suspicious activity. |
| Building Block | BB:CategoryDefinition: Suspicious Flows | Edit this building block to include all events that indicate suspicious activity. |
| Building Block | BB:CategoryDefinition: Unidirectional Flow | |
| Building Block | BB:CategoryDefinition: Unidirectional Flow DST | |
| Building Block | BB:CategoryDefinition: Unidirectional Flow SRC | |
| Building Block | BB:Flowshape: Inbound Only | Matches flows that are inbound only. |
| Building Block | BB:Flowshape: Outbound Only | Macthes flows that are outbound only. |
| Building Block | BB:HostDefinition: Database Servers | Edit this building block to define typical database servers. This building block is used in conjunction with the BB:FalsePositive: Database Server False Positive Categories and BB:FalsePositive: Database Server False Positive Events building blocks. |
| Building Block | BB:HostDefinition: DHCP Servers | Edit this building block to define typical DHCP servers. This building block is used in conjunction with the BB:False Positive: DHCP Server False Positives Categories and BB:FalsePositve: DHCP Server False Positive Events building blocks. |
| Building Block | BB:HostDefinition: DNS Servers | Edit this building block to define typical DNS servers. This building block is used in conjunction with the BB:FalsePositive: DNS Server False Positives Categories and BB:FalsePositve: DNS Server False Positive Events building blocks. |
| Building Block | BB:HostDefinition: FTP Servers | Edit this building block to define typical FTP servers. This building block is used in conjunction with the BB:False Positive: FTP Server False Positives Categories and BB:FalsePositve: FTP Server False Positive Events building blocks. |
| Building Block | BB:HostDefinition: LDAP Servers | Edit this building block to define typical LDAP servers. This building block is used in conjunction with the BB:False Positive: LDAP Server False Positives Categories and BB:FalsePositve: LDAP Server False Positive Events building blocks. |
| Building Block | BB:HostDefinition: Mail Servers | Edit this building block to define typical mail servers. This building block is used in conjunction with the BB:False Positive: Mail Server False Positives Categories and BB:FalsePositve: Mail Server False Positive Events building blocks. |
| Building Block | BB:HostDefinition: Network Management Servers | Edit this building block to define typical network management servers. |
| Building Block | BB:HostDefinition: Proxy Servers | Edit this building block to define typical proxy servers. This building block is used in conjunction with the BB:False Positive: Proxy Server False Positives Categories and BB:FalsePositve: Proxy Server False Positive Events building blocks. |
| Building Block | BB:HostDefinition: RPC Servers | Edit this building block to define typical RPC servers. This building block is used in conjunction with the BB:False Positive: RPC Server False Positives Categories and BB:FalsePositve: RPC Server False Positive Events building blocks. |
| Building Block | BB:HostDefinition: Servers | Edit this building block to define generic servers. |
| Building Block | BB:HostDefinition: SNMP Sender or Receiver | Edit this building block to define SNMP senders or receivers. This building block is used in conjunction with the BB:PortDefinition: SNMP Ports building block. |
| Building Block | BB:HostDefinition: SSH Servers | Edit this building block to define typical SSH servers. This building block is used in conjunction with the BB:False Positive: SSH Server False Positives Categories and BB:FalsePositve: SSH Server False Positive Events building blocks. |
| Building Block | BB:HostDefinition: Virus Definition and Other Update Servers | Edit this building block to include all servers that include virus protection and update functions. |
| Building Block | BB:HostDefinition: Web Servers | Edit this building block to define typical web servers. This building block is used in conjunction with the BB:False Positive: Web Server False Positives Categories and BB:FalsePositve: Web Server False Positive Events building blocks. |
| Building Block | BB:HostDefinition: Windows Servers | Edit this building block to define typical Windows servers, such as domain controllers or exchange servers. This building block is used in conjunction with the BB:False Positive: Windows Server False Positives Categories and BB:FalsePositve: Windows Server False Positive Events building blocks. |
| Building Block | BB:HostReference: Database Servers | |
| Building Block | BB:HostReference: DHCP Servers | |
| Building Block | BB:HostReference: DNS Servers | |
| Building Block | BB:HostReference: FTP Servers | |
| Building Block | BB:HostReference: LDAP Servers | |
| Building Block | BB:HostReference: Mail Servers | |
| Building Block | BB:HostReference: Proxy Servers | |
| Building Block | BB:HostReference: SSH Servers | |
| Building Block | BB:HostReference: Web Servers | |
| Building Block | BB:HostReference: Windows Servers | |
| Building Block | BB:NetworkDefinition: Honeypot like Addresses | Edit this building block by replace the other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Anomaly: Potential Honeypot Access rule. You must also add a security/policy sentry to these network objects to generate events based on attempted access |
| Building Block | BB:PortDefinition: Database Ports | Edit this building block to include all common database ports. |
| Building Block | BB:PortDefinition: DHCP Ports | Edit this building block to include all common DHCP ports. |
| Building Block | BB:PortDefinition: DNS Ports | Edit this building block to include all common DNS ports. |
| Building Block | BB:PortDefinition: FTP Ports | Edit this building block to include all common FTP ports. |
| Building Block | BB:PortDefinition: Game Server Ports | Edit this building block to include all common game server ports. |
| Building Block | BB:PortDefinition: IM Ports | Edit this building block to include all common IM ports. |
| Building Block | BB:PortDefinition: IRC Ports | Edit this building block to include all common IRC ports. |
| Building Block | BB:PortDefinition: LDAP Ports | Edit this building block to include all common ports used by LDAP servers. |
| Building Block | BB:PortDefinition: Mail Ports | Edit this building block to include all common ports used by mail servers. |
| Building Block | BB:PortDefinition: P2P Ports | Edit this building block to include all common ports used by Peer-to-Peer (P2P) servers. |
| Building Block | BB:PortDefinition: Proxy Ports | Edit this building block to include all common ports used by proxy servers. |
| Building Block | BB:PortDefinition: RPC Ports | Edit this building block to include all common ports used by RPC servers. |
| Building Block | BB:PortDefinition: SNMP Ports | Edit this building block to include all common ports used by SNMP senders or receivers. |
| Building Block | BB:PortDefinition: SSH Ports | Edit this building block to include all common ports used by SSH servers. |
| Building Block | BB:PortDefinition: Web Ports | Edit this building block to include all common ports used by Web servers. |
| Building Block | BB:PortDefinition: Windows Ports | Edit this building block to include all common ports used by Windows servers. |
| Building Block | BB:ProtocolDefinition: Windows Protocols | Edit this building block to include all common protocols (not including TCP) used by Windows servers that will be ignored for false positive tuning rules. |
| Building Block | BB:ReconDetected: Devices That Merge Recon into Single Events | Edit this building block to include all devices that accumulate reconnaissance across multiple hosts or ports into a single event. This rule forces these events to become offenses. |
| Building Block | BB:Suspicious: Local: Unidirectional UDP or Misc Flows | Detects an excessive number of unidirectional UDP and miscellaneous flows from a single source. |
| Building Block | BB:Suspicious: Remote: Unidirectional UDP or Misc Flows | Detects an excessive number of unidirectional UDP and miscellaneous flows from a single source. |
| Building Block | BB:Threats: Port Scans: Host Scans | Identifies potential reconnaissance by flows. |
| Building Block | BB:Threats: Port Scans: UDP Port Scan | Identifies UDP based port scans. |
| Building Block | BB:Threats: Scanning: Empty Responsive Flows High | Detects potential reconnaissance activity where the source packet count is greater than 100,000. |
| Building Block | BB:Threats: Scanning: Empty Responsive Flows Low | Detects potential reconnaissance activity where the source packet count is greater than 500. |
| Building Block | BB:Threats: Scanning: Empty Responsive Flows Medium | Detects potential reconnaissance activity where the source packet count is greater than 5,000. |
| Building Block | BB:Threats: Scanning: ICMP Scan High | Identifies a high level of ICMP reconnaissance. |
| Building Block | BB:Threats: Scanning: ICMP Scan Low | Identifies a low level of ICMP reconnaissance. |
| Building Block | BB:Threats: Scanning: ICMP Scan Medium | Identifies a medium level of ICMP reconnaissance. |
| Building Block | BB:Threats: Scanning: Potential Scan | Identifies potential reconnaissance by flows. |
| Building Block | BB:Threats: Scanning: Scan High | Identifies a high level of potential reconnaissance. |
| Building Block | BB:Threats: Scanning: Scan Low | Identifies a low level of potential reconnaissance. |
| Building Block | BB:Threats: Scanning: Scan Medium | Identifies a medium level of potential reconnaissance. |
| Building Block | BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination | Identifies flows that have an illegal TCP flag combination. |
| Building Block | BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets | Identifies flows with abnormaly large DNS packets |
| Building Block | BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets | Identifies flows with abnormaly large ICMP packets |
| Building Block | BB:Threats: Suspicious IP Protocol Usage: Long Duration Outbound Flow | Identifies flows that have been active for more than 48 hours |
| Building Block | BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code | Identifies ICMP flows with suspicious ICMP type codes. |
| Building Block | BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0 | Identifies suspicious flows using port 0. |
| Building Block | BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows | Identifies unidirectional ICMP flows. |
| Building Block | BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Replys | Identifies traffic where ICMP replies are seen with no request. |
| Building Block | BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows | Identifies bidirectional traffic that doesn't include payload. |
| Building Block | BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows | Identifies unidirectional TCP flows. |
| Building Block | BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows | Identifies unidirectional UDP and other miscellaneous flows. |
| Rule | Local L2L Database Scanner | Reports a scan from a local host against other local targets. At least 30 hosts were scanned in 10 minutes. |
| Rule | Local L2L DHCP Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common DHCP ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2L DNS Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2L FTP Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes. |
| Rule | Local L2L Game Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common game server ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2L ICMP Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2L IM Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2L IRC Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes. |
| Rule | Local L2L LDAP Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common LDAP ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2L Mail Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common mail server ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2L P2P Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2L Proxy Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common proxy server ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2L RPC Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common RPC server ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2L SNMP Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common SNMP server ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2L SSH Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes. |
| Rule | Local L2L Suspicious Probe Events Detected | Reports when various suspicious or reconnaissance events have been detected from the same local source IP address to more than 5 destination IP address in 4 minutes. This can indicate various forms of host probing, such as Nmap reconnaissance, which attempts to identify the services and operation systems of the target. |
| Rule | Local L2L TCP Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2L UDP Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2L Web Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2L Windows Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common Windows server ports to more than 200 hosts in 20 minutes. This can be false positive prone for busy windows servers. |
| Rule | Local L2R Database Scanner | Reports a scan from a local host against other remote targets. At least 30 hosts were scanned in 10 minutes. |
| Rule | Local L2R DHCP Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common DHCP ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2R DNS Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2R FTP Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes. |
| Rule | Local L2R Game Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common game server ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2R ICMP Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2R IM Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2R IRC Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes. |
| Rule | Local L2R LDAP Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common LDAP ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2R Mail Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common mail server ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2R P2P Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2R Proxy Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common proxy server ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2R RPC Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common RPC server ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2R SNMP Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common SNMP server ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2R SSH Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes. |
| Rule | Local L2R Suspicious Probe Events Detected | Reports when various suspicious or reconnaissance events have been detected from the same local source IP address to more than 5 destination IP address in 4 minutes. This can indicate various forms of host probing, such as Nmap reconnaissance, which attempts to identify the services and operation systems of the target. |
| Rule | Local L2R TCP Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2R UDP Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes. |
| Rule | Local L2R Web Server Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common remote web server ports to more than 400 hosts in 10 minutes. |
| Rule | Local Windows Scanner to Internet | Reports a source IP address attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 20 minutes. This is classic worm behavior. |
| Rule | Remote Database Scanner | Reports a scan from a remote host against other local or remote targets. At least 30 hosts were scanned in 10 minutes. |
| Rule | Remote DHCP Scanner | Reports a remote host attempting reconnaissance or suspicious connections on common DHCP ports to more than 30 hosts in 10 minutes. |
| Rule | Remote DNS Scanner | Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes. |
| Rule | Remote FTP Scanner | Reports a remote host attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes. |
| Rule | Remote Game Server Scanner | Reports a remote host attempting reconnaissance or suspicious connections on common game server ports to more than 30 hosts in 10 minutes. |
| Rule | Remote ICMP Scanner | Reports a remote host attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes. |
| Rule | Remote IM Server Scanner | Reports a remote host attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes. |
| Rule | Remote IRC Server Scanner | Reports a remote host attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes. |
| Rule | Remote LDAP Server Scanner | Reports a scan from a remote host against other local or remote targets. At least 30 hosts were scanned in 10 minutes. |
| Rule | Remote Mail Server Scanner | Reports a remote host attempting reconnaissance or suspicious connections on common mail server ports to more than 30 hosts in 10 minutes. |
| Rule | Remote P2P Scanner | Reports a remote host attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes. |
| Rule | Remote Proxy Server Scanner | Reports a remote host attempting reconnaissance or suspicious connections on common proxy server ports to more than 30 hosts in 10 minutes. |
| Rule | Remote RPC Server Scanner | Reports a remote host attempting reconnaissance or suspicious connections on common RPC server ports to more than 30 hosts in 10 minutes. |
| Rule | Remote SNMP Scanner | Reports scans from a remote host against local or remote targets. At least 30 hosts were scanned in 10 minutes. |
| Rule | Remote SSH Server Scanner | Reports a remote host attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes. |
| Rule | Remote Suspicious Probe Events Detected | Reports various suspicious or reconnaissance events from the same remote source IP address to more then 5 destination IP addresses in 4 minutes. This may indicate various forms of host probing, such as Nmap reconnaissance that attempts to identify the services and operating system of the targets. |
| Rule | Remote TCP Scanner | Reports a remote host attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes. |
| Rule | Remote UDP Scanner | Reports a remote host attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes. |
| Rule | Remote Web Server Scanner | Reports a remote host attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes. |
| Rule | Remote Windows Server Scanner | Reports a remote host attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 10 minutes. |
| Rule | Single Merged Recon Events Local Scanner | Reports merged reconnaissance events generated by some devices. This rule causes all these events to create an offense. All devices of this type and their categories should be added to the BB:ReconDetected: Devices which Merge Recon into Single Events building block. |
| Rule | Single Merged Recon Events Remote Scanner | Reports merged reconnaissance events generated by some devices. All devices of this type and their categories should be added to the BB:ReconDetected: Devices which Merge Recon into Single Events building block. |