Potential SYN-Based Port Scan Detected

Last updated 3 days ago on 2025-02-28

Created 2 years ago on 2023-05-17

About

This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule defines a threshold-based approach to detect connection attempts from a single source to a large number of unique destination ports, while limiting the number of packets per port.

Tags

Domain: NetworkTactic: DiscoveryTactic: ReconnaissanceUse Case: Network Security MonitoringData Source: PAN-OSLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

↳ Network Service Discovery (T1046)(opens in a new tab or window)

Reconnaissance (TA0043)(opens in a new tab or window)

↳ Active Scanning (T1595)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Threshold Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-network_traffic.*packetbeat-*filebeat-*logs-panw.panos*

Related Integrations

network_traffic(opens in a new tab or window)

panw(opens in a new tab or window)

Query

event.action:network_flow and destination.port:* and network.packets <= 2 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)

Install detection rules in Elastic Security

Detect Potential SYN-Based Port Scan Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).