Commit a custom record to monitor suspicious port activity
The ExtraHop platform can help you gain visibility and real-time access to early attack indicators on your network. One proactive security measure you can take is to monitor ports that you consider vulnerable to trojans and other malware.
For example, because 12345 is an easy-to-remember sequence, this number is often selected when configuring a default port number for a server or a program, making that port value a popular target with attackers.
In this walkthrough, you will write a trigger that commits each transaction over a suspicious port value to a record, and then you will create a query to view the collected records.
Prerequisites
- You must have access to an ExtraHop system with a user account that has unlimited privileges.
- Your ExtraHop system must be connected to a recordstore.
- Your network must be configured to allow traffic through port 12345.
- Familiarize yourself with the concepts in this walkthrough by reading the Records and Triggers.
- Familiarize yourself with the processes of creating triggers by completing the Trigger Walkthrough.
Write the trigger
In the following steps, you will write a trigger that looks for server traffic over port 12345 and then commits a custom record of each transaction to a recordstore.
Query and view the custom records
In the following steps, you will search for the custom records committed to the recordstore and create a saved record query based on the search criteria.
Check records for malware indicators
If your system is hit by a malware attack or you learn about new malware that is circulating, you can check your records to see if your system has been targeted.
For example, if you learn that a new trojan is often sent through port 12345, you can open the saved Possible Trojans query you created above and check for the following activity:
- Transactions occurring over unexpected protocols. For example, you might expect to see IMAP traffic over port 12345, but not SSH traffic.
- Transactions occurring over unclassified protocols, which are displayed in the query results as tcp:12345. Unclassified protocols are not recognized by the ExtraHop system and might be suspicious.
- Client IP addresses associated with transactions over unexpected or unclassified protocols, and if the IP address originated from an untrusted locale.
- Time stamps of the transactions that you find questionable and that occurred during non-business hours.
Narrowing down suspicious transactions helps you determine if you have a malware problem so that you can get started on a resolution.
Thank you for your feedback. Can we contact you to ask follow up questions?