Alert Pack: Port Scan Detection

[ 1 Purpose ] [ 2 Prerequisites ] [ 3 Open alert pack ] [ 4 Use alert pack ]

Purpose

This Alert Pack is a single alert for detecting DoS attacks used for testing a Port Scan Use Case.

Port Scan Detection

This alert detects an IP that is suspicious of doing a port scan attack in sending requests to more than 100 different ports in a period of 5 minutes.

from firewall.juniper.ssg.traffic
where ispublic(srcIp)
where action = "Accept"
select str(srcIp) as sourceIP
group every 1m by sourceIP
every 1m
select hllppcount(dstPort) as dstPorthll
where dstPorthll >= 10
select round(dstPorthll) as dstPortRound

Prerequisites

When installed as part of the use case mentioned above, everything will be sorted automatically.

When installed as an independent item, you must have the following data source available in your domain:

firewall.juniper.ssg.traffic ^{learn more}

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.