Thanks to one of my fellow InfoSec brethren and fellow security product developer, he got me thinking as to how to detect a situation he presented me, and well, I finally had an engram kick-in and off I went to see how I would I detect this condition.
We are all too familiar with port scans against our firewalls from a myriad of ne'er-do-wellers and how a firewall or other specialty network device detects and blocks reconnaissance behavior. Simply stated, one IP hitting multiple ports, OK, a lot of ports in a fairly short period of time, is the main indicator.
But what about inside your network, not just Internet facing systems, how would you detect a port scan occurring? Say, recon by a malwarian already inside a compromised box, a misguided employee, rogue admin, Pen Test consultant, etc. As long as there is a firewall or network device between the source (bad guy) and target that is being logged you could detect a port scan. Or if you have an IDS/IPS inline between the two hosts involved, you could detect the port scan IF you have logs being monitored and alerting on this kind of behavior. If you have a managed service IDS/IPS provider then they should be calling you, or at a minimum alerting you to an internal port scan, so this is a way to see if they are doing what you pay them for, or you have short comings in malicious network detection capabilities. I will also assume that switches are not being logged as this produces more noise versus value in most cases.
But what about same segment port scanning? What if a malwarian is on one host and scans ONLY that subnet and surrounding IP's, could you detect a port scan? Is your IDS/IPS connected to a span port that can see ALL traffic going between systems within a switch or network segment? If not, what else could you do? Would you believe Windows Logs to the rescue if the target is Windows? You could do the same with IPTables on NIX systems by the way.
The Windows Firewall Logs can detect this behavior, but not a setting I normally recommend because of the noise it normally generates that is not of much value. And thus why this blog post. So if you test your port scan detection capabilities, and I suggest you do, this is where my InfoSec Musketeer comes into play. Thanks Marcus for planting the seed and "Hey.. where is my avatar on the main page???". VThreat is an all browser based solution that enables you to test your ability to detect various nefarious activities and your ability to detect them, one of which is a port scan. Many of you might be wondering right about now, does my IDS/IPS cover this condition? Could you detect a port scan between two hosts, workstations or servers or the same segment, an IP or two apart? Check out VThreat if you want to test for it! Or play with what I list below, at a minimum if you can detect a local segment port scan successfully. You should be able to detect most of them with well tuned tools that VThreat can help you test.
For Windows systems and Group Policy, if you enable "Filtering Platform Connection" under Object Access found in Advanced Audit Policy and you enable "Failure", where normally I recommend only "success", you can detect a local port scan where your network devices may fail you. The logs will provide you with EventCode 5156 "failed" attempts to create a connection to the Windows host, and in quantities that are never normal. An example where I generally recommend not to enable this option, but an example of why you might want to.
Remember, you do not have to send this data to Splunk or other log management solution. You can collect it locally and craft some script to query for this data as you see fit. Of course LOG-MD will collect this information if enabled for a tactical solution, IR work or you want to test if your network devices and logging are up to snuff.
Here is a sample Splunk query for you to ponder and expand upon. Just adjust the ports you want to cover (<20000) and the quantity over time (>10) and then search over the past hour and do some testing.
index=win_logs LogName=Security EventCode=5156 | table host Source_Address, Source_Port, Destination_Address, Destination_Port, Protocol, Keywords | search Source_Port < 20000 | stats count dc(Source_Port) AS Port_Count values(Source_Port) AS Port values(Keywords) by Destination_Address | where Port_Count > 10