UDP Portscan Enumeration Event

From SCADApedia

The UDP Portscan Enumeration Event will trigger an alert when UDP packets are detected as having been sent to multiple ports on one or more hosts. The event uses the IPFlow interface to determine if a system is generating UDP connections to multiple ports on one or more hosts.

When a system generates a UDP connections to multiple ports to one or more hosts, Portaledge will generate an UDP Portscan Enumeration Event. This event is part of the Portaledge Enumeration Event Class.

1 ACE Module Description
2 Analysis or Impact
3 Interfaces
4 Triggers
5 Installation
6 External Links

[edit]

ACE Module Description

The ACE Module for the UDP Portscan Enumeration Event monitors all systems on a network monitored by the IPFlow interface. The PI Interface Node running the IPFlow interface will collect network flow information and return the information back to the PI server. The collected data will be sent to ACE and compared to the thresholds and ignore list set for the UDP Portscan Enumeration Event. Systems that exceed the thresholds and are not on the ignore list will create an event and will be sent to the Portaledge_EnumerationAlert tag, creating a Portaledge Event.

Package Includes: The UDP Portscan Enumeration Event package includes:

EnumerationUDPPortScanBeta1.vb
EnumerationEventHelpers.vb
UDP Portscan Enumeration Excel templates

[edit]

Analysis or Impact

The UDP Portscan Enumeration Event will identify a system generating UDP packets are detected as having been sent to multiple ports on one or more hosts. The UDP traffic may be the result of an attacker scanning the network.

[edit]

Interfaces

The UDP Portscan Enumeration Event gathers data from workstations and servers with the following PI Interfaces:

IP Flow: Used to monitor network traffic.

[edit]

Triggers

A UDP Portscan Enumeration Event is generated when the following condition occurs:

UDP: This trigger will raise an alarm if the UDP threshold is exceed and the systems involved in the UDP traffic are not on the ignore list.

The thresholds for the triggers can be modified in the ACE modules.

The trigger is stored as part of the Event and is available for display or analysis.

[edit]

Installation

This section provides specific installation information for the UDP Portscan Enumeration Event. General installation information that applies to all Events is available on the Portaledge Installation page.

PI Tags

Create the PI IP Flow tag for the network being monitored.

PI IP Flow Interface
- Create a PI IP Flow tag for the network being monitored. Refer to the OSIsoft PI IP Flow Interface documentation for creating and configuring the IP Flow tag. (see external links below)

Module Database

Create modules, their associated properties and aliases and the alias' references for the systems to be scanned in the module database. Use either the SMT Module Database interface or the provided Excel templates.

Example Module Tree for the UDP Portscan Enumeration Event

If it doesn't already exist create a Portaledge module in the module database. This module will contain the modules and other information relevant to this and other Portaledge modules. Create the modules manually through the SMT interface or use the templates provided to add through the Excel SMT tool.

Modules:
- Alerts
  - The Alerts module will contain the following alias:
    - Alias Name: EnumerationAlert with the following settings:
    - PI Server: The PI Server where the tag analogous to this system exists.
    - Tag Name: Portaledge_EnumerationAlert (see the Output Tags below).
- Enumeration: An Enumeration Module needs to be created if it does not already exist.
  - Properties
    - EnumerationUDPScan_BytesLowerLimit = 28.
    - EnumerationUDPScan_BytesUpperLimit = 28: The Upper and Lower Byte limits represent upper and lower boundaries for the size of sessions observed for scanning activities of this type (UDP Portscan).
    - EnumerationUDPScan_Exceptions: Lists of systems exempt from the UDP Portscan Enumeration Event. This field exists so that communications between systems that are allowed, but that meet the criteria for scanning detection do not trigger events. Exempted communications are listed as system1 IP : system1 port : system2 IP : system2 port | system3 IP : system3 port : system4 IP : system4 port etc. where system1 communicates with system2 and system3 communicates with system4. The ":" delimiter serving to divide the units of a communication session and the "|" delimiter separating sessions. Example: 192.168.10.10 : 1234 : 192.168.10.20 : 4567 .
    - EnumerationUDPScan_PortsPerSystemLimit: Number of ports a system is allowed to create UDP sessions to before the UDP Portscan Enumeration Event creates an alert.
    - EnumerationUDPScan_SessionLimit: Number of UDP sessions a system is allowed before the UDP Portscan Enumeration Event creates an alert.
    - EnumerationSessionInfo_Time = 300: Amount of time, in seconds, the system will scan for new network sessions.
    - EnumerationUDPScan_Severity = 4: The severity level of the alert. This will be used to calculate the severity levels in the Enumeration Event Class Event and the Meta Event.
- Flow: The Flow Module will contain aliases for the IP Flow tags.
  - Aliases
    - Alias Name: dst
      - Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.
    - Alias Name: dstIP
      - Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.
    - Alias Name: dstPort
      - Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.
    - Alias Name: octet
      - Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.
    - Alias Name: protocol
      - Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.
    - Alias Name: src
      - Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.
    - Alias Name: srcIP
      - Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.
    - Alias Name: srcPort
      - Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.

Output Tag

Create the Output Tag for reporting this Event Module.

Create a Portaledge_EnumerationAlert Point if it does not already exist. The Portaledge_EnumerationAlert Point will have the following settings:

Name: Portaledge_EnumerationAlert
Descriptor: Portaledge Enumeration Alert
Point Type: String
The Data Owner, Data Group, Point Owner, and Point Group user in the Security Settings tab should be modified to represent the correct user.

The remainder of the settings can be left as the defaults.

A Script creating this point is available for the Alias Template Excel SMT tool.

Output Alias

Create an Alert Alias referencing the Output tag. The Alias should be named EnumerationAlert. It may already exist as it may have been created as a step for the installation of another event of this event class.

Create an alias under the Portaledge Alerts Module that references the Portaledge_EnumerationAlert and named Portaledge_EnumerationAlert.

ACE Modules

Install the event module VB code and register the module. Configure the module with the ACE Manager to run on an interval of the same size as the EnumerationSessionInfo_Time property. Choose an offset between 1-59 seconds, so that this event does not fire at the same time as other events.

The UDP Portscan Enumeration Event uses the UDP Portscan Enumeration ACE modules. This module is composed of two files:

EnumerationUDPPortScanBeta1.vb
EnumerationEventHelpers.vb

Follow the PI ACE User Guide to install and register the module. It is recommended that this module be set to run every 5 minutes on a different offset then the Enumeration Event Class Event.

[edit]