################################################################
# Sample SEC ruleset for "PORTSCAN FROM ip1 TO ip2:port" events
################################################################

# process "PORTSCAN FROM ip1 TO ip2:port" events, and if a certain
# source host has scanned the same destination port on more than 
# 10 distinct destination hosts during 60 seconds, raise an alarm

type=Single
ptype=RegExp
pattern=PORTSCAN FROM (\S+) TO \S+:(\d+)
context=!HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$2
continue=TakeNext
desc=Horizontal port sweep started from source $1 to target port $2
action=eval %o ( $portscans{"$1:$2"} = {} ); \
       create HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$2 60 \
       eval %o ( delete $portscans{"$1:$2"} )

type=Single
ptype=RegExp
pattern=PORTSCAN FROM (\S+) TO (\S+):(\d+)
context=HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3
continue=TakeNext
desc=Scanned destination IP: $2
action=eval %o ( $portscans{"$1:$3"}->{$2} = 1 ); \
       add HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 %t: %s;\
       set HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 60 \
       eval %o ( delete $portscans{"$1:$3"} )

type=Single
ptype=RegExp
pattern=PORTSCAN FROM (\S+) TO (\S+):(\d+)
context=HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 \
        && =( scalar(keys(%{$portscans{"$1:$3"}})) > 10 )
continue=DontCont
desc=$1 has scanned more than 10 destinations
action=report HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 \
       mail -s 'Horizontal port sweep from $1 target port $3' root@localhost; \
       delete HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3; \
       eval %o ( delete $portscans{"$1:$3"} )