Reconnaissance

Use the IBM Security QRadar Reconnaissance Content Extension for focus on reconnaissance events and detection.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Reconnaissance Content Extension 1.0.3

The following table shows the rules and building blocks that are updated in IBM Security QRadar Reconnaissance Content Extension 1.0.3.

Table 1. Rules and Building Blocks updated in IBM Security QRadar Reconnaissance Content Extension 1.0.3
Name Description
BB:ReconDetected: Devices That Merge Recon into Single Events Changed to last condition to "and when an event matches any of the following BB:DeviceDefinition: IDS / IPS" from "and when the event(s) were detected by one or more of the TippingPoint Intrusion Prevention System (IPS)".
Remote ICMP Scanner Removed rule condition: “and NOT when a flow or an event matches any of the following Remote Database Scanner, Remote DHCP Scanner, Remote FTP Scanner, Remote Game Server Scanner, Remote IM Server Scanner, Remote IRC Server Scanner, Remote LDAP Server Scanner, Remote Mail Server Scanner, Remote P2P Scanner, Remote Proxy Server Scanner, Remote RPC Server Scanner, Remote SNMP Scanner, Remote SSH Server Scanner, Remote Web Server Scanner, Remote Windows Server Scanner”.

The following rules and building blocks are removed in IBM Security QRadar Reconnaissance Content Extension 1.0.3 because they are now included in IBM Security QRadar by default.

  • BB:CategoryDefinition: Recon Event Categories
  • BB:CategoryDefinition: Recon Events
  • BB:CategoryDefinition: Recon Flows
  • BB:CategoryDefinition: Suspicious Event Categories
  • BB:CategoryDefinition: Suspicious Events
  • BB:CategoryDefinition: Suspicious Flows
  • BB:CategoryDefinition: Unidirectional Flow
  • BB:CategoryDefinition: Unidirectional Flow DST
  • BB:CategoryDefinition: Unidirectional Flow SRC
  • BB:Flowshape: Inbound Only
  • BB:Flowshape: Outbound Only
  • BB:HostDefinition: Database Servers
  • BB:HostDefinition: DHCP Servers
  • BB:HostDefinition: DNS Servers
  • BB:HostDefinition: FTP Servers
  • BB:HostDefinition: LDAP Servers
  • BB:HostDefinition: Mail Servers
  • BB:HostDefinition: Network Management Servers
  • BB:HostDefinition: Proxy Servers
  • BB:HostDefinition: RPC Servers
  • BB:HostDefinition: Servers
  • BB:HostDefinition: SNMP Sender or Receiver
  • BB:HostDefinition: SSH Servers
  • BB:HostDefinition: Virus Definition and Other Update Servers
  • BB:HostDefinition: Web Servers
  • BB:HostDefinition: Windows Servers
  • BB:HostReference: Database Servers
  • BB:HostReference: DHCP Servers
  • BB:HostReference: DNS Servers
  • BB:HostReference: FTP Servers
  • BB:HostReference: LDAP Servers
  • BB:HostReference: Mail Servers
  • BB:HostReference: Proxy Servers
  • BB:HostReference: SSH Servers
  • BB:HostReference: Web Servers
  • BB:HostReference: Windows Servers
  • BB:NetworkDefinition: Honeypot like Addresses
  • BB:PortDefinition: Database Ports
  • BB:PortDefinition: DHCP Ports
  • BB:PortDefinition: DNS Ports
  • BB:PortDefinition: FTP Ports
  • BB:PortDefinition: Game Server Ports
  • BB:PortDefinition: IM Ports
  • BB:PortDefinition: IRC Ports
  • BB:PortDefinition: LDAP Ports
  • BB:PortDefinition: P2P Ports
  • BB:PortDefinition: Proxy Ports
  • BB:PortDefinition: RPC Ports
  • BB:PortDefinition: SNMP Ports
  • BB:PortDefinition: SSH Ports
  • BB:PortDefinition: Windows Ports
  • BB:ProtocolDefinition: Windows Protocols
  • BB:Threats: Port Scans: Host Scans
  • BB:Threats: Port Scans: UDP Port Scan
  • BB:Threats: Scanning: Empty Responsive Flows High
  • BB:Threats: Scanning: Empty Responsive Flows Low
  • BB:Threats: Scanning: Empty Responsive Flows Medium
  • BB:Threats: Scanning: ICMP Scan High
  • BB:Threats: Scanning: ICMP Scan Low
  • BB:Threats: Scanning: ICMP Scan Medium
  • BB:Threats: Scanning: Potential Scan
  • BB:Threats: Scanning: Scan High
  • BB:Threats: Scanning: Scan Low
  • BB:Threats: Scanning: Scan Medium
  • BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination
  • BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets
  • BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets
  • BB:Threats: Suspicious IP Protocol Usage: Long Duration Outbound Flow
  • BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code
  • BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0
  • BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows
  • BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Replys
  • BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows
  • BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows
  • BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows
  • Local L2L Database Scanner
  • Local L2L FTP Scanner
  • Local L2L IRC Server Scanner
  • Local L2L LDAP Server Scanner
  • Local L2L SSH Server Scanner
  • Local L2L Suspicious Probe Events Detected
  • Local L2R Database Scanner
  • Local L2R FTP Scanner
  • Local L2R IRC Server Scanner
  • Local L2R LDAP Server Scanner
  • Local L2R RPC Server Scanner
  • Local L2R SSH Server Scanner
  • Remote Database Scanner
  • Remote FTP Scanner
  • Remote IRC Server Scanner
  • Remote LDAP Server Scanner
  • Remote Proxy Server Scanner
  • Remote RPC Server Scanner
  • Remote SSH Server Scanner
  • Remote Windows Server Scanner

(Back to top)

IBM Security QRadar Reconnaissance Content Extension 1.0.2

The following table shows the building blocks that are updated in IBM Security QRadar Reconnaissance Content Extension 1.0.2.

Table 2. Building Blocks in IBM Security QRadar Reconnaissance Content Extension 1.0.2
Name Description
BB:HostDefinition: Proxy Servers Added BB:PortDefinition: Proxy Ports to the rule test.
BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination Removed rule condition: "and when the flow type is one of these flow types."
BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code Removed rule condition: "and when the flow type is one of these flow types."
BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0 Removed rule condition: "and when the flow type is one of these flow types."
BB:CategoryDefinition: Unidirectional Flow SRC
BB:Flowshape: Outbound Only Matches flows that are outbound only.
BB:CategoryDefinition: Recon Event Categories Edit this building block to include all events that indicate reconnaissance activity.
BB:CategoryDefinition: Suspicious Event Categories Edit this building block to include all events that indicate suspicious activity.
BB:Threats: Scanning: ICMP Scan Low Identifies a low level of ICMP reconnaissance.
BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows Identifies bidirectional traffic that doesn't include payload.
BB:Threats: Scanning: Scan High Identifies a high level of potential reconnaissance.
BB:CategoryDefinition: Unidirectional Flow
BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Replys Identifies traffic where ICMP replies are seen with no request.
BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows Identifies unidirectional ICMP flows.
BB:Flowshape: Inbound Only Matches flows that are inbound only.
BB:NetworkDefinition: Honeypot like Addresses Edit this building block by replacing the other network with the network objects defined in your network hierarchy that aren’t currently used in your network or that are used in a honeypot or tarpit installation.

After these are defined, you must enable the Anomaly: Potential Honeypot Access rule. To generate events based on attempted access, you must also add a security/policy sentry to these network objects.

BB:CategoryDefinition: Recon Flows Edit this building block to include all events that indicate suspicious activity.
BB:Threats: Port Scans: UDP Port Scan Identifies UDP based port scans.
BB:Threats: Scanning: ICMP Scan Medium Identifies a medium level of ICMP reconnaissance.
BB:Threats: Scanning: Empty Responsive Flows Low Detects potential reconnaissance activity where the source packet count is greater than 500.
BB:CategoryDefinition: Suspicious Flows Edit this building block to include all events that indicate suspicious activity.
BB:CategoryDefinition: Suspicious Events Edit this building block to include all events that indicate suspicious activity.
BB:Threats: Suspicious IP Protocol Usage: Long Duration Outbound Flow Identifies flows that have been active for more than 48 hours.
BB:Threats: Scanning: Empty Responsive Flows Medium Detects potential reconnaissance activity where the source packet count is greater than 5,000.
BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets Identifies flows with abnormally large ICMP packets.
BB:Threats: Scanning: ICMP Scan High Identifies a high level of ICMP reconnaissance.
BB:Threats: Port Scans: Host Scans Identifies potential reconnaissance by flows.
BB:Threats: Scanning: Scan Medium Identifies a medium level of potential reconnaissance.
BB:Threats: Scanning: Scan Low Identifies a low level of potential reconnaissance.
BB:CategoryDefinition: Recon Events Edit this building block to include all events that indicate reconnaissance activity.
BB:Threats: Scanning: Potential Scan Identifies potential reconnaissance by flows.
BB:CategoryDefinition: Unidirectional Flow DST
BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows Identifies unidirectional TCP flows.
BB:Threats: Scanning: Empty Responsive Flows High Detects potential reconnaissance activity where the source packet count is greater than 100,000.
BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets Identifies flows with abnormally large DNS packets.
BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows Identifies unidirectional UDP and other miscellaneous flows.
BB:Suspicious: Remote: Unidirectional UDP or Misc Flows Detects an excessive number of unidirectional UDP and miscellaneous flows that are from a single source.
BB:Suspicious: Local: Unidirectional UDP or Misc Flows Detects an excessive number of unidirectional UDP and miscellaneous flows that are from a single source.

(Back to top)

IBM Security QRadar Reconnaissance Content Extension 1.0.0

The following reference sets were added in IBM Security QRadar Reconnaissance Content Extension 1.0.0.

  • Database Servers
  • DHCP Servers
  • DNS Servers
  • FTP Servers
  • LDAP Servers
  • Mail Servers
  • Proxy Servers
  • SSH Servers
  • Web Servers
  • Windows Servers

The following rules building blocks were added in IBM Security QRadar Reconnaissance Content Extension 1.0.0.

Table 3. Rules and building blocks in IBM Security QRadar Reconnaissance Content Extension 1.0.0
Type Name Description
Building Block BB:CategoryDefinition: Recon Event Categories Edit this building block to include all events that indicate reconnaissance activity.
Building Block BB:CategoryDefinition: Recon Events Edit this building block to include all events that indicate reconnaissance activity.
Building Block BB:CategoryDefinition: Recon Flows Edit this building block to include all events that indicate suspicious activity.
Building Block BB:CategoryDefinition: Suspicious Event Categories Edit this building block to include all events that indicate suspicious activity.
Building Block BB:CategoryDefinition: Suspicious Events Edit this building block to include all events that indicate suspicious activity.
Building Block BB:CategoryDefinition: Suspicious Flows Edit this building block to include all events that indicate suspicious activity.
Building Block BB:CategoryDefinition: Unidirectional Flow  
Building Block BB:CategoryDefinition: Unidirectional Flow DST  
Building Block BB:CategoryDefinition: Unidirectional Flow SRC  
Building Block BB:Flowshape: Inbound Only Matches flows that are inbound only.
Building Block BB:Flowshape: Outbound Only Macthes flows that are outbound only.
Building Block BB:HostDefinition: Database Servers Edit this building block to define typical database servers. This building block is used in conjunction with the BB:FalsePositive: Database Server False Positive Categories and BB:FalsePositive: Database Server False Positive Events building blocks.
Building Block BB:HostDefinition: DHCP Servers Edit this building block to define typical DHCP servers. This building block is used in conjunction with the BB:False Positive: DHCP Server False Positives Categories and BB:FalsePositve: DHCP Server False Positive Events building blocks.
Building Block BB:HostDefinition: DNS Servers Edit this building block to define typical DNS servers. This building block is used in conjunction with the BB:FalsePositive: DNS Server False Positives Categories and BB:FalsePositve: DNS Server False Positive Events building blocks.
Building Block BB:HostDefinition: FTP Servers Edit this building block to define typical FTP servers. This building block is used in conjunction with the BB:False Positive: FTP Server False Positives Categories and BB:FalsePositve: FTP Server False Positive Events building blocks.
Building Block BB:HostDefinition: LDAP Servers Edit this building block to define typical LDAP servers. This building block is used in conjunction with the BB:False Positive: LDAP Server False Positives Categories and BB:FalsePositve: LDAP Server False Positive Events building blocks.
Building Block BB:HostDefinition: Mail Servers Edit this building block to define typical mail servers. This building block is used in conjunction with the BB:False Positive: Mail Server False Positives Categories and BB:FalsePositve: Mail Server False Positive Events building blocks.
Building Block BB:HostDefinition: Network Management Servers Edit this building block to define typical network management servers.
Building Block BB:HostDefinition: Proxy Servers Edit this building block to define typical proxy servers. This building block is used in conjunction with the BB:False Positive: Proxy Server False Positives Categories and BB:FalsePositve: Proxy Server False Positive Events building blocks.
Building Block BB:HostDefinition: RPC Servers Edit this building block to define typical RPC servers. This building block is used in conjunction with the BB:False Positive: RPC Server False Positives Categories and BB:FalsePositve: RPC Server False Positive Events building blocks.
Building Block BB:HostDefinition: Servers Edit this building block to define generic servers.
Building Block BB:HostDefinition: SNMP Sender or Receiver Edit this building block to define SNMP senders or receivers. This building block is used in conjunction with the BB:PortDefinition: SNMP Ports building block.
Building Block BB:HostDefinition: SSH Servers Edit this building block to define typical SSH servers. This building block is used in conjunction with the BB:False Positive: SSH Server False Positives Categories and BB:FalsePositve: SSH Server False Positive Events building blocks.
Building Block BB:HostDefinition: Virus Definition and Other Update Servers Edit this building block to include all servers that include virus protection and update functions.
Building Block BB:HostDefinition: Web Servers Edit this building block to define typical web servers. This building block is used in conjunction with the BB:False Positive: Web Server False Positives Categories and BB:FalsePositve: Web Server False Positive Events building blocks.
Building Block BB:HostDefinition: Windows Servers Edit this building block to define typical Windows servers, such as domain controllers or exchange servers. This building block is used in conjunction with the BB:False Positive: Windows Server False Positives Categories and BB:FalsePositve: Windows Server False Positive Events building blocks.
Building Block BB:HostReference: Database Servers  
Building Block BB:HostReference: DHCP Servers  
Building Block BB:HostReference: DNS Servers  
Building Block BB:HostReference: FTP Servers  
Building Block BB:HostReference: LDAP Servers  
Building Block BB:HostReference: Mail Servers  
Building Block BB:HostReference: Proxy Servers  
Building Block BB:HostReference: SSH Servers  
Building Block BB:HostReference: Web Servers  
Building Block BB:HostReference: Windows Servers  
Building Block BB:NetworkDefinition: Honeypot like Addresses Edit this building block by replace the other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Anomaly: Potential Honeypot Access rule. You must also add a security/policy sentry to these network objects to generate events based on attempted access
Building Block BB:PortDefinition: Database Ports Edit this building block to include all common database ports.
Building Block BB:PortDefinition: DHCP Ports Edit this building block to include all common DHCP ports.
Building Block BB:PortDefinition: DNS Ports Edit this building block to include all common DNS ports.
Building Block BB:PortDefinition: FTP Ports Edit this building block to include all common FTP ports.
Building Block BB:PortDefinition: Game Server Ports Edit this building block to include all common game server ports.
Building Block BB:PortDefinition: IM Ports Edit this building block to include all common IM ports.
Building Block BB:PortDefinition: IRC Ports Edit this building block to include all common IRC ports.
Building Block BB:PortDefinition: LDAP Ports Edit this building block to include all common ports used by LDAP servers.
Building Block BB:PortDefinition: Mail Ports Edit this building block to include all common ports used by mail servers.
Building Block BB:PortDefinition: P2P Ports Edit this building block to include all common ports used by Peer-to-Peer (P2P) servers.
Building Block BB:PortDefinition: Proxy Ports Edit this building block to include all common ports used by proxy servers.
Building Block BB:PortDefinition: RPC Ports Edit this building block to include all common ports used by RPC servers.
Building Block BB:PortDefinition: SNMP Ports Edit this building block to include all common ports used by SNMP senders or receivers.
Building Block BB:PortDefinition: SSH Ports Edit this building block to include all common ports used by SSH servers.
Building Block BB:PortDefinition: Web Ports Edit this building block to include all common ports used by Web servers.
Building Block BB:PortDefinition: Windows Ports Edit this building block to include all common ports used by Windows servers.
Building Block BB:ProtocolDefinition: Windows Protocols Edit this building block to include all common protocols (not including TCP) used by Windows servers that will be ignored for false positive tuning rules.
Building Block BB:ReconDetected: Devices That Merge Recon into Single Events Edit this building block to include all devices that accumulate reconnaissance across multiple hosts or ports into a single event. This rule forces these events to become offenses.
Building Block BB:Suspicious: Local: Unidirectional UDP or Misc Flows Detects an excessive number of unidirectional UDP and miscellaneous flows from a single source.
Building Block BB:Suspicious: Remote: Unidirectional UDP or Misc Flows Detects an excessive number of unidirectional UDP and miscellaneous flows from a single source.
Building Block BB:Threats: Port Scans: Host Scans Identifies potential reconnaissance by flows.
Building Block BB:Threats: Port Scans: UDP Port Scan Identifies UDP based port scans.
Building Block BB:Threats: Scanning: Empty Responsive Flows High Detects potential reconnaissance activity where the source packet count is greater than 100,000.
Building Block BB:Threats: Scanning: Empty Responsive Flows Low Detects potential reconnaissance activity where the source packet count is greater than 500.
Building Block BB:Threats: Scanning: Empty Responsive Flows Medium Detects potential reconnaissance activity where the source packet count is greater than 5,000.
Building Block BB:Threats: Scanning: ICMP Scan High Identifies a high level of ICMP reconnaissance.
Building Block BB:Threats: Scanning: ICMP Scan Low Identifies a low level of ICMP reconnaissance.
Building Block BB:Threats: Scanning: ICMP Scan Medium Identifies a medium level of ICMP reconnaissance.
Building Block BB:Threats: Scanning: Potential Scan Identifies potential reconnaissance by flows.
Building Block BB:Threats: Scanning: Scan High Identifies a high level of potential reconnaissance.
Building Block BB:Threats: Scanning: Scan Low Identifies a low level of potential reconnaissance.
Building Block BB:Threats: Scanning: Scan Medium Identifies a medium level of potential reconnaissance.
Building Block BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination Identifies flows that have an illegal TCP flag combination.
Building Block BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets Identifies flows with abnormaly large DNS packets
Building Block BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets Identifies flows with abnormaly large ICMP packets
Building Block BB:Threats: Suspicious IP Protocol Usage: Long Duration Outbound Flow Identifies flows that have been active for more than 48 hours
Building Block BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code Identifies ICMP flows with suspicious ICMP type codes.
Building Block BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0 Identifies suspicious flows using port 0.
Building Block BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows Identifies unidirectional ICMP flows.
Building Block BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Replys Identifies traffic where ICMP replies are seen with no request.
Building Block BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows Identifies bidirectional traffic that doesn't include payload.
Building Block BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows Identifies unidirectional TCP flows.
Building Block BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows Identifies unidirectional UDP and other miscellaneous flows.
Rule Local L2L Database Scanner Reports a scan from a local host against other local targets. At least 30 hosts were scanned in 10 minutes.
Rule Local L2L DHCP Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common DHCP ports to more than 60 hosts in 10 minutes.
Rule Local L2L DNS Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes.
Rule Local L2L FTP Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.
Rule Local L2L Game Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common game server ports to more than 60 hosts in 10 minutes.
Rule Local L2L ICMP Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes.
Rule Local L2L IM Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes.
Rule Local L2L IRC Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes.
Rule Local L2L LDAP Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common LDAP ports to more than 60 hosts in 10 minutes.
Rule Local L2L Mail Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common mail server ports to more than 60 hosts in 10 minutes.
Rule Local L2L P2P Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes.
Rule Local L2L Proxy Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common proxy server ports to more than 60 hosts in 10 minutes.
Rule Local L2L RPC Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common RPC server ports to more than 60 hosts in 10 minutes.
Rule Local L2L SNMP Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common SNMP server ports to more than 60 hosts in 10 minutes.
Rule Local L2L SSH Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.
Rule Local L2L Suspicious Probe Events Detected Reports when various suspicious or reconnaissance events have been detected from the same local source IP address to more than 5 destination IP address in 4 minutes. This can indicate various forms of host probing, such as Nmap reconnaissance, which attempts to identify the services and operation systems of the target.
Rule Local L2L TCP Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes.
Rule Local L2L UDP Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes.
Rule Local L2L Web Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes.
Rule Local L2L Windows Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common Windows server ports to more than 200 hosts in 20 minutes. This can be false positive prone for busy windows servers.
Rule Local L2R Database Scanner Reports a scan from a local host against other remote targets. At least 30 hosts were scanned in 10 minutes.
Rule Local L2R DHCP Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common DHCP ports to more than 60 hosts in 10 minutes.
Rule Local L2R DNS Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes.
Rule Local L2R FTP Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.
Rule Local L2R Game Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common game server ports to more than 60 hosts in 10 minutes.
Rule Local L2R ICMP Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes.
Rule Local L2R IM Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes.
Rule Local L2R IRC Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes.
Rule Local L2R LDAP Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common LDAP ports to more than 60 hosts in 10 minutes.
Rule Local L2R Mail Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common mail server ports to more than 60 hosts in 10 minutes.
Rule Local L2R P2P Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes.
Rule Local L2R Proxy Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common proxy server ports to more than 60 hosts in 10 minutes.
Rule Local L2R RPC Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common RPC server ports to more than 60 hosts in 10 minutes.
Rule Local L2R SNMP Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common SNMP server ports to more than 60 hosts in 10 minutes.
Rule Local L2R SSH Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.
Rule Local L2R Suspicious Probe Events Detected Reports when various suspicious or reconnaissance events have been detected from the same local source IP address to more than 5 destination IP address in 4 minutes. This can indicate various forms of host probing, such as Nmap reconnaissance, which attempts to identify the services and operation systems of the target.
Rule Local L2R TCP Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes.
Rule Local L2R UDP Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes.
Rule Local L2R Web Server Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common remote web server ports to more than 400 hosts in 10 minutes.
Rule Local Windows Scanner to Internet Reports a source IP address attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 20 minutes. This is classic worm behavior.
Rule Remote Database Scanner Reports a scan from a remote host against other local or remote targets. At least 30 hosts were scanned in 10 minutes.
Rule Remote DHCP Scanner Reports a remote host attempting reconnaissance or suspicious connections on common DHCP ports to more than 30 hosts in 10 minutes.
Rule Remote DNS Scanner Reports a source IP address attempting reconnaissance or suspicious connections on common DNS ports to more than 60 hosts in 10 minutes.
Rule Remote FTP Scanner Reports a remote host attempting reconnaissance or suspicious connections on common FTP ports to more than 30 hosts in 10 minutes.
Rule Remote Game Server Scanner Reports a remote host attempting reconnaissance or suspicious connections on common game server ports to more than 30 hosts in 10 minutes.
Rule Remote ICMP Scanner Reports a remote host attempting reconnaissance or suspicious connections on common ICMP ports to more than 60 hosts in 10 minutes.
Rule Remote IM Server Scanner Reports a remote host attempting reconnaissance or suspicious connections on common IM server ports to more than 60 hosts in 10 minutes.
Rule Remote IRC Server Scanner Reports a remote host attempting reconnaissance or suspicious connections on common IRC server ports to more than 10 hosts in 10 minutes.
Rule Remote LDAP Server Scanner Reports a scan from a remote host against other local or remote targets. At least 30 hosts were scanned in 10 minutes.
Rule Remote Mail Server Scanner Reports a remote host attempting reconnaissance or suspicious connections on common mail server ports to more than 30 hosts in 10 minutes.
Rule Remote P2P Scanner Reports a remote host attempting reconnaissance or suspicious connections on common Peer-to-Peer (P2P) server ports to more than 60 hosts in 10 minutes.
Rule Remote Proxy Server Scanner Reports a remote host attempting reconnaissance or suspicious connections on common proxy server ports to more than 30 hosts in 10 minutes.
Rule Remote RPC Server Scanner Reports a remote host attempting reconnaissance or suspicious connections on common RPC server ports to more than 30 hosts in 10 minutes.
Rule Remote SNMP Scanner Reports scans from a remote host against local or remote targets. At least 30 hosts were scanned in 10 minutes.
Rule Remote SSH Server Scanner Reports a remote host attempting reconnaissance or suspicious connections on common SSH ports to more than 30 hosts in 10 minutes.
Rule Remote Suspicious Probe Events Detected Reports various suspicious or reconnaissance events from the same remote source IP address to more then 5 destination IP addresses in 4 minutes. This may indicate various forms of host probing, such as Nmap reconnaissance that attempts to identify the services and operating system of the targets.
Rule Remote TCP Scanner Reports a remote host attempting reconnaissance or suspicious connections on common TCP ports to more than 60 hosts in 10 minutes.
Rule Remote UDP Scanner Reports a remote host attempting reconnaissance or suspicious connections on common UDP ports to more than 60 hosts in 10 minutes.
Rule Remote Web Server Scanner Reports a remote host attempting reconnaissance or suspicious connections on common local web server ports to more than 60 hosts in 10 minutes.
Rule Remote Windows Server Scanner Reports a remote host attempting reconnaissance or suspicious connections on common Windows server ports to more than 60 hosts in 10 minutes.
Rule Single Merged Recon Events Local Scanner Reports merged reconnaissance events generated by some devices. This rule causes all these events to create an offense. All devices of this type and their categories should be added to the BB:ReconDetected: Devices which Merge Recon into Single Events building block.
Rule Single Merged Recon Events Remote Scanner Reports merged reconnaissance events generated by some devices. All devices of this type and their categories should be added to the BB:ReconDetected: Devices which Merge Recon into Single Events building block.

(Back to top)