Path: Policy - Advanced Correlation


Summary

Imagine you want to block port scanners by dropping their connection attempts. As a kind of reconnaissance protection, we can track and block a port scan based on IP/port combinations for a specific period. We focus on client (source) IP and server (destination) port.

To implement this, we use an Advanced Correlation scenario that contains an event tracking table, a dynamic network object and three rules.


Creating an Advanced Correlation Scenario

  1. Navigate to Policy > Advanced Correlation.
  2. Click ADD to create a new scenario.
  3. Enter a Name and an optional Note for this scenario.
  4. Click SAVE.


Basic settings of the correlation scenario

Fig. 1: Basic settings of the correlation scenario.


After saving the new scenario, you are automatically in its overview page.


Creating an Event Tracking Table

In this scenario, we use an event tracking table (buffer) to track 1000 IP addresses with 101 ports each. That means, we may have with a data structure with a maximum of 101000 entries in total.

  1. Open the Event Tracking Tables tab of the scenario.
  2. Click ADD.
  3. Configure the following settings:
    • Assign a Name, e.g. Ports per host.
    • Set the Retention Time for Event Tracking to 60 in order to track all connections within a 60 second window.
    • Set the Primary Attribute Type to IP Address.
    • Set the Maximum Number of Primary Attributes to 1000.
    • Set the Secondary Attribute Type to Layer 4 port.
    • Set the Maximum Number of Secondary Attributes per Primary One to 101.
  4. Click SAVE.

Fig. 2: Configuration of the event tracking table.



Adding a Dynamic Network Object

We also need a data structure where we can store the IPs that we want to block. As we do not want to block these IPs forever, we have to have IP individual timeouts. We can do that with dynamic network objects (DNOs).

DNOs  can be understood as dynamic IP lists. You can create rules, that add or remove or just check whether or not an IP is on the list. Furthermore, IPs can be automatically removed from that list, based on timeouts.


For this example, we create a DNO that stores the IP addresses of all hosts that have more than 100 port entries in the event tracking table, i.e. contact more than 100 ports per minute.


  1. In the correlation scenario, open the Dynamic Network Objects tab.
  2. Click ADD.
  3. Assign a Name, e.g. Port scanner hosts.
  4. Configure the following settings:

    • Under Network, select External.
    • Set the Size to 100.
    • Set the Timeout to 300.


Fig. 3: Configuration of the dynamic network object.



Adding the Rules

To actually enter IP/port combinations into the event tracking table and IPs into the DNO, we need to create rules.


To evaluate the traffic, the following three rules are needed in this correlation scenario:

  • Rule 1 enters the source IP/destination port combinations of all clients in TCP connections into the event tracking table.
  • Rule 2 counts the port entries stored in the event tracking table for each client IP. If a client IP has more than 100 port entries, i.e. connections to ports, it is added to the dynamic network object.
  • Rule 3 silently drops the traffic from IPs stored in the dynamic network object.

To set up a rule in the correlation scenario, proceed as follows:

  1. In the correlation scenario, open the Rules tab.
  2. Click ADD to create a new rule for the scenario.
  3. Assign a Name.
  4. Optional: Add a Note.
  5. Configure the following settings:

    • In the Source & Destination section, set Source Networks and Destination Networks to Any.
    • In the Conditions section:

      • Enable Layer 4 Protocol by clicking the slider switch.
      • Enter Transmission Control (6 TCP) into the input field.


Fig. 4: Filter traffic by layer 4 protocol.
  • In the Actionssection:
    • Enable Add to Event Tracking Table by clicking the slider switch. This action is only available for rules that belong to correlation scenarios.
    • Under Event Tracking Table, select the event tracking table created in this scenario.
    • Under Primary Attribute of Event, select Client Address.
    • Under Secondary Attribute of Event, select Server Layer 4 port.

Fig. 5: Track traffic attributes in the ETT.

 

6. Click SAVE to store our first rule.



Create the remaining two rules in a similar fashion.

The following table shows the required settings for all three rules:



RuleSourceDestinationConditionActions
1AnyAnyLayer 4 Protocol
Protocols: Transmission Control (6 TCP)
Add to Event Tracking Table
Event Tracking Table: Ports per host
Primary Attribute: Client Address
Secondary Attribute: Server Layer 4 port
2AnyAnyAdvanced Correlation Condition:
Number of Similar Events in Event Tracking Table
Event Tracking Table: Ports per host
Count entries equal to: Client Address
Minimum number of entries: 40
Dynamic Network Object Operation: Add
Host Identifier: IP Address
Who: Client
Target Dynamic Network Object: D: Hosts to block
3
D: Hosts to blockAny
Log: Notice
Final Action: Drop Traffic and Stop Processing


Click APPLY CHANGES to activate your configuration changes.


Tip:

You may wonder about the difference between "Drop" and "Reject" traffic. Dropping traffic does not take the sender into account. Dropping therefore silently discards the packets.
Reject, however, notifies all parties by sending a TCP reset (if possible) that the packets are discarded.

Result

Traffic from all hosts that establish 100 or more TCP connections to different ports per minute is dropped for 5 minutes. Port scans performed by these hosts are stopped. When the timeout expires, the hosts are automatically removed from the dynamic network object and may establish new connections with the network.


Fig. 6: Rule set of the correlation scenario.