4

In a complete network infrastructure, with firewalls, routers, servers supervised by a SIEM, LogPoint here. Of course, there is a private network and public servers.

in the LogPoint there is an alert called "port scans" which is triggered whenever one source hits one destination on 100 different ports in 5 minutes.

With these logs How would you distinguish "normal" Port scan that happens every day on the internet, and port scan that can be a preparation for an attack and are more "serious" port scanning.

BR.Hamza
  • 107
  • 2
  • 2
  • 13
  • Don't you see the source in the logs? – Tom K. Apr 05 '18 at 15:56
  • 2
    All port scans are reconnaissance. If you have a way to automate blocks given the conditions you described, it would be reasonable to block the source IP for some period of time to keep them from finding anything you might have missed. – nbering Apr 05 '18 at 16:44
  • Well you'll actually notice "normal internet" port scans, for one, because they are not at all stealthy. – forest Apr 06 '18 at 09:22
  • yes, I do see the source in my logs, and we do block it. but I wanted to go further, and try to get more informations. i tought about checking in my logs, if the source had interaction with my network before, and if yes what exactly. and I asked this question to find a way, if possible, to get more information out of my logs. – BR.Hamza Apr 06 '18 at 09:58

1 Answers1

5

You can't because there isn't one. Unless a port scan is:

  1. Initiated by you.
  2. Initiated on your request or behalf by a security partner.

It is malicious. You can block them as you wish. The sole purpose of port scans, malicious or not, is to find weaknesses and vulnerable services in your internet facing gateway. If you or a partner does it, it's to help you strengthen your posture. If anyone else does it, it's to determine if you're worth attacking, and how to best launch that attack.

Monica Apologists Get Out
  • 4,021
  • 1
  • 14
  • 21
  • lots of white-hats do mass scans; you can't categorically assign all scans as malicious. – dandavis Apr 05 '18 at 22:37
  • 2
    Okay, but you should still treat them as malicious given that you have no way to distinguish them from malicious scans. – Monica Apologists Get Out Apr 06 '18 at 12:34
  • 1
    I have to agree with Adonalsium. Also, white-hat is about legality, not intent. If I break into your servers and take all your customer data but I *genuinely* only mean to keep it as a safe backup for you... I'm not a white-hat. If you don't have a contract, you need to restrict your scans/actions against an org to *only* what is intended(i.e. permitted) functionality(which still has plenty of bugs to find). Otherwise, email them and recommend they look into BugCrowd/HackerOne/etc, and move on. – Angelo Schilling Jul 20 '18 at 20:40