cscli scenarios install crowdsecurity/iptables-scan-multi_ports
Detects a port scan : detects if a single IP attempts connection to many different ports.
Leakspeed of 5s, capacity of 15.
1type: leaky2name: crowdsecurity/iptables-scan-multi_ports3description: "Detect aggressive portscans"4filter: "evt.Meta.log_type == 'iptables_drop' && evt.Meta.service == 'tcp'"5groupby: evt.Meta.source_ip6distinct: evt.Parsed.dst_port7capacity: 158leakspeed: 5s9blackhole: 1m10labels:11 remediation: true12 classification:13 - attack.T1595.00114 - attack.T101815 - attack.T104616 behavior: "tcp:scan"17 label: "TCP Port Scan"18 spoofable: 319 confidence: 120