This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Masscan Port Scanning Tool Detection'

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Masscan Port Scanning Tool Detection'

jdprovine
L4 Transporter

‎11-07-2019 09:11 AM - edited ‎11-07-2019 09:14 AM

I am getting this alert Masscan Port Scanning Tool Detection' what can I do that will stop the scanning, I would think I would need to do more that alert and when I check the threat database it didn't really offer much 

0 Likes Likes
3 REPLIES 3

BPry
Cyber Elite
Cyber Elite

‎11-07-2019 07:46 PM

@jdprovine,

The default action for this is simply to alert. As is, I generally set it so anything coming from external resources with a severity great-or-equal to medium gets reset, regardless of default action. You might want to look at making the same modification to the threat profile utilized on your external security entries. 

One of the thing you might want to look at is the firewalls built-in block-ip option that can limit the source-ip from connecting for a set duration. You can also setup MineMeld to pull indicators from the threat logs (either through log-forwarding to a SIEM or directly through the API) so you can feed these into a block-list so to speak by utilizing the EDL functionality. 

0 Likes Likes

jdprovine
L4 Transporter
In response to BPry

‎11-08-2019 06:12 AM

@BPry 

Hows it going? As always you have many good suggestions. I decided to change the action to drop. I currently don't have mine meld and doesn't that cost?  I currently do not have a SIEM setup yet I may need to look into that

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to jdprovine

‎11-08-2019 09:45 AM

@jdprovine,

The product is included with AutoFocus which does have a cost associated with it that has caused a fair amount of confusion; MineMeld itself however is open-source and can be installed by itself without any cost associated. 

You can get the indicators added automatically to MineMeld using some scripts to pull a custom report through the API, and feeding the indicators into a file that gets fed into MineMeld as an indicator list. I might write a post about that one of these days. 

0 Likes Likes
  • 8332 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks