Detecting Nmap Port Scanning

Overview

Port scanning, especially with tools like Nmap, is a common technique used by attackers to identify open ports and services on a target system. In this context, we are looking to detect instances where a source IP is attempting to connect to multiple ports on a destination IP in a short time frame, indicative of scanning behavior. Using Splunk and Zeek logs, we can identify these patterns by filtering for zero payload traffic and counting unique port connections.

Splunk Query for Detecting Nmap Scans

The following Splunk query identifies potential Nmap port scans by filtering for network connections with no payload (i.e., orig_bytes=0) and counting the number of distinct ports accessed within private IP ranges. By setting a threshold of three or more ports within a five-minute interval, we can flag this activity as suspicious.

Query Breakdown

index="cobaltstrike_beacon" sourcetype="bro:conn:json" orig_bytes=0 dest_ip IN (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8) 
| bin span=5m _time 
| stats dc(dest_port) as num_dest_port by _time, src_ip, dest_ip 
| where num_dest_port >= 3

Detailed Steps:

1. Select the Appropriate Data Source:

   • index="cobaltstrike_beacon" specifies the index where the relevant Zeek connection logs are stored.

   • sourcetype="bro:conn:json" specifies the source type as Zeek JSON logs for connection data.

2. Filter for Zero-Payload Connections:

   • orig_bytes=0 targets connection attempts where the initial payload size is zero. This typically indicates a scan attempt since no actual data is being transmitted, just the connection request.

3. Restrict to Internal IP Ranges:

   • dest_ip IN (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8) filters the results to only include private IP ranges. This approach is commonly used to monitor internal network traffic for signs of port scanning, which is a common reconnaissance activity within internal networks.

4. Time-Binning Events:

   • | bin span=5m _time groups the events into 5-minute intervals, helping us detect multiple scanning attempts within a brief period, which is characteristic of port scanning activity.

5. Count Unique Ports Accessed:

   • | stats dc(dest_port) as num_dest_port by _time, src_ip, dest_ip counts the distinct destination ports (using dc(dest_port)) that each source IP (src_ip) connects to on each destination IP (dest_ip) within the 5-minute time window.

6. Set a Threshold for Flagging Scans:

   • | where num_dest_port >= 3 filters to include only events where three or more unique ports were accessed by the same source IP within the defined 5-minute window. This threshold suggests potential scanning behavior as multiple ports are probed in a short time frame.

Interpreting Results

• Flagging Potential Scanners: IPs that attempt to connect to three or more ports within a short window, without sending any payload data, are likely engaging in port scanning activity.

• Adjusting Thresholds: If there are many false positives, consider adjusting the num_dest_port threshold. Higher values indicate more aggressive scanning.