ET SCAN Amap TCP Service Scan Detected
This alert is triggered when detecting TCP traffic that matches a specific content pattern indicative of an Amap scan. Amap is a scanning tool that is designed to identify application protocols running on non-standard ports. It attempts to determine what application is listening behind a given port. This alert may be triggered when an adversary is attempting to perform reconnaissance on network services by identifying the underlying application protocol of open ports.
ID Number
4000477
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Amap TCP Service Scan Detected"; flow:to_server; flags:PA; content:"service|3A|thc|3A 2F 2F|"; depth:105; content:"service|3A|thc"; within:40; reference:url,freeworld.thc.org/thc-amap/; reference:url,doc.emergingthreats.net/2010371; classtype:attempted-recon; sid:4000477; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
It is recommended to verify whether this activity was a legitimate scan performed by an authorized individual or team within your organization. If your organization doesn’t use Amap scans, it is recommended to block all Amap scans. If your organization uses Amap scans, it is recommended to block all Amap scans from external networks, or enable access from specific external devices only.