Network Scanners

When you set up any network monitoring tool or packet sniffer it’s important to find a place on the network where you can see all the traffic. In the case of AC-Hunter, that includes all traffic going to or coming from the Internet.

Well, almost all traffic.

There’s one important exception to this: scanners. That includes any computers that go out thousands of times to other computers to make quick connections. These might be:

  • Checking to see if the remote system is responding at all,
  • Checking on the remote services on those machines to see if they’re returning valid results,
  • Checking on those remote services to see if they’re vulnerable to any known attacks, or
  • Simply scanning the internet to do some kind of Internet mapping

AC-Hunter is focused on regular connections to a small number of hosts, much like you’d find with a person browsing the web or a piece of malware calling home to a command and control server. The analysis we do to identify these hosts can get overloaded when one or more internal machines are placing extraordinarily large numbers of connections to outside systems, just like you’d find with internal scanning systems.

If you have systems like these, here’s what we recommend:

  • Lock down those systems carefully. They should be fully patched. They should also have as few open ports as possible; a good firewall that restricts client access to just a few admin systems would be great.
  • Tell Zeek to ignore them entirely. This blog post walks you through the needed steps: https://www.activecountermeasures.com/filtering-out-high-volume-traffic . Once you’ve made this change, Zeek will stop recording the outbound connections from the scanner(s).

It may take about a day for these to get filtered out from your AC-Hunter rolling database(s), but after that you should notice that the import happens more quickly and AC-Hunter may become more responsive.

 

 

Interested in threat hunting tools? Check out AC-Hunter

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!

Share this:
AC-Hunter Datasheet
AC-Hunter Personal Demo
What We’re up To
Archives