Our last blog on ASAM must have given you an Idea of what is the different dashboard available with ASAM. This blog will help understand, how events are triggered for the new security event – “scans/probes”.
Scans are those Flows which are sent to a specific host using multiple ports or to multiple hosts on single port.
The scans can be of different types.
The aim of the hacker will be to identify the path to break into the Network (IP, port etc.). That is the combination of which IP and port can be utilized to get information from the Network. To get this information he will scan the network, these scans can be of different types.
One to Many:
Many to One:
Many to Many:
Further classifications of the scans are as follows:
Port scan : Flows from single/multiple source hosts to single/fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.
Port scan (Reverse): Flows from single/fewer source hosts to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.
Host scan: Flows from single/multiple source hosts to multiple destination hosts on single/fewer destination ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the destination end.
Host scan (Reverse): Flows from multiple source hosts to single/multiple destination hosts using single/fewer source ports exceeding Minimum Horizontal Span, Minimum Occupancy and Minimum Aspect Ratio at the source end.
Grid Scan: Flows from single/multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end.
Grid Scan (Reverse): Flows from multiple source host to single/multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end.
Diagonal Scan: Flows from single/multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end (hosts = ports = endpoints)
Diagonal (Scan Reverse): Flows from multiple source hosts to single/multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end (hosts = ports = endpoints).
These scans are identified based on different aggregation mechanisms in NetFlow Analyzer. They are Source Aggregation, Destination Aggregation, and Router Aggregation.
By these different aggregation mechanisms we will be able to sort out all the various scans happening in the network.
Source aggregation is based on source IP address, if there is a threshold violation that the particular source is trying to send packets to different destination then this is triggered as an event. Similarly for Destination aggregation, when a destination is receiving packets from different IP addresses then this is triggered as an event. Router based aggregation comes into the picture when similar traffic is sent to any destination from any source through the same router.
We also have a wide range of customization options available with the ASAM add-on to NetFlow Analyzer, which are used for tuning the product for known traffic.
We will explain more about the customizations in our Next blog on ASAM.
You can download the 30 day trial from here.
Praveen Manohar
NetFlow Analyzer Technical Team
Download | Interactive Demo | Twitter | Customers
