September 27, 2020

Use Splunk to Locate Port Scanners

If you are hosting a web application, then the only open TCP ports through your firewall should be 80 and 443.  If anything tries to connect on other ports such as 23, 3389, 12345, etc. then it’s more than likely hostile.  More so, for example, if you see attempts to connect to sequential port numbers or even a large collection of randomized ports, that’s still bad.  Below is a dashboard showing the source IP address(es) and the number of destination ports that were scanned.  The thought here is that if you can see who is attacking you, you can better defend yourself.

Looking at the top talker here, in Seychelles has attempted to connect to the outside of my Palo Alto Networks firewall on 93 distinct ports.  News Flash!  I don’t have that many ports open on this firewall.

Now, here’s what I did to create this dashboard. I knew that I wanted to know which IP addresses were attempting to connect on multiple ports.  So I open a new search box and started asking Splunk what I wanted to know.

It took me a while to get this search the way that I wanted, so I decided to make a macro out of it.  Then call this macro from the dashboard.

I made 2 variables for the macro, destination IP ($destIp$) and minimum count ($minCount$).  That way if I wanted to see different interface than the outside of my firewall, I could easily just pass in a different $destIP$ that I’m interested in (e.g. Active Directory domain controllers, email servers, MySQL servers, etc.).  The $minCount$ is handy for dialing in how sensitive you want the results to be.  For example, if we have a web server that should only have 2 ports open, the logical $minCount$ would be 3.  That should alert you if anything attempts to connect on a third port after 80 and 443, but I’ve seen that this can flood you with so many results that it becomes overwhelming.

I suggest dialing this in, until you get some actionable intel out of it.  I found that in my case for the production environment, 32 was a good number to keep the results onto a single page on the dashboard.  This also allows me to block or blacklist the highest offenders, especially if I see them show up multiple times.