Edit Telnet port Activity rule


The Telnet Port Activity detection rule triggers whenever there is port scan / activity is tried Even if the port is closed

How can I edit the below rule to trigger ONLY if port is open?

event.category:(network or network_traffic) and network.transport:tcp and destination.port:23

Any help is apprectiated.


Thanks, @ethical20. Great observation.

Unfortunately, Packetbeat doesn't have a protocol analyzer for Telnet.

I think the rule you're looking at is to identify Telnet Port Activity vs. Telnet authentication, because there isn't an analyzer.

As a workaround, you could use the rule to just look at your own IP ranges, to identify lateral movement vs. as an entry point from interfaces that are Internet-connected. You could do this using the Exception Framework in the Detection Engine.

This exception means the alert would only trigger when the source IP addresses are RFC1918 addresses. The wording is a bit confusing, a double-negative. The way I read it is if you used the "is" Operator, the rule would always trigger except when the IP addresses are RFC1918, so try the "is not" Operator. If that doesn't give you the expected response (only alert on internal Telnet), you can try it with the "is" Operator.

Thanks @variable

I've got your point.