ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
This alert is triggered when detecting communication on port 445 between devices in the network. Port 445 is used for SMB communication, which allows systems of the same network to share files. the SMB protocol is known to be vulnerable, communication on port 445 can be an indication of Potential scanning or attempted attack by an adversary. However, port 445 (SMB) is commonly used for communication in OT systems.
ID Number
4000742
Signature
alert tcp $HOME_NET any -> any 445 (msg:"ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001569; classtype:misc-activity; sid:4000742; rev:14; metadata:created_at 2010_07_30, updated_at 2017_05_11;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
Check if this communication is from a device opened to the internet, if yes block all communication on this device using port 445. Since port 445 is commonly used for legitimate communications in the network block only devices that are connected to the internet. Use iSID to establish a baseline of devices communicating on port 445 and create a detection rule for the anomaly.