Hi All,

I want you guys to review the below rule:

Rule Name: Possible Outbreak Excessive connections

rule possible_outbreak_excessive_connections
{
meta:
subject = "possible outbreak excessive connections"
description = "Identifies a local host performing port sweep or scan against external network. Possibly this could be local host infection and it is acting as bot to scan external network as per instructions from command-and-control server."
tactic = "Command and Control"
technique = "Application Layer Protocol"
tool = ""
datasource = "Network Traffic"
category = ""
product = ""
logsource = "EDR, Netflow, NGFW, Windows Events, Firewall"
actor = ""
malware = ""
vulnerability = ""
custom = "SIEM use cases"
confidence = "Medium"
severity = "Medium"
falsePositives = "None"
externalSubject = "0"
externalMITRE = "0"

events:
$e.metadata.event_type = "NETWORK_CONNECTION" //All netwrok traffic events from all type of devices will be normalized to the event type: NETWORK_CONNECTION
$e.metadata.product_name != "AWS VPC Flow" //Its temporary exclusion as it is causing a lot of falsePositives
//Capturing variables for event correlation
$e.principal.ip = $principal_ip
$e.target.ip = $target_ip
$e.target.port = $target_port
//Exclusions
$e.target.port !=443 and $e.target.port !=80 //Excluding standard web access ports as it triggers signal on regular web browsing

match:
$principal_ip over 1h
condition:
(#target_port >= 10 and #target_ip=1) or (#target_ip>=10 and #target_port=1)
}

Note: We are getting events for this rule correctly but for the loopback IP address. Pasting the screenshot of the events generated.

Thanks,
Neha.H