Files
Anthropic-Cybersecurity-Skills/skills/detecting-network-scanning-with-ids-signatures/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

1.6 KiB

API Reference: Detecting Network Scanning with IDS Signatures

Scan Types and Detection

Scan Type Method Detection
SYN Scan Half-open SYN packets Many SYN without ACK
Connect Scan Full TCP handshake Many connections, short duration
Host Sweep Same port, many hosts Single port, >10 destinations
Service Enum Banner grabbing Short-lived connections

Suricata EVE JSON Format

{
  "event_type": "alert",
  "src_ip": "10.0.0.5",
  "dest_ip": "192.168.1.100",
  "alert": {
    "signature": "ET SCAN Nmap SYN Scan",
    "category": "Attempted Information Leak",
    "severity": 2,
    "signature_id": 2000001
  }
}

Suricata Scan Detection Rules

alert tcp any any -> $HOME_NET any (msg:"Port Scan Detected"; \
  flags:S; threshold:type both, track by_src, count 25, seconds 60; \
  sid:5000001;)

Zeek conn.log Fields

#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service
        duration orig_bytes resp_bytes conn_state

Detection Thresholds

Metric Threshold Severity
Unique ports per destination >20 HIGH
Unique ports >100 >100 CRITICAL
Hosts per single port sweep >10 MEDIUM
Hosts >50 >50 HIGH

Splunk SPL Detection

index=network
| stats dc(dest_port) as unique_ports by src_ip, dest_ip
| where unique_ports > 20
| sort -unique_ports

CLI Usage

python agent.py --eve-log eve.json
python agent.py --conn-log conn.log --port-threshold 25 --sweep-threshold 15