DataSense

DataSense is a security monitoring function in the NETALERT solution that detects and alerts on anomalous network activities based on predefined parameters. It helps identify potential attacks and unauthorized communications by monitoring various protocol types and attack patterns.

The DataSense option is accessible from the Administration tab by clicking the Alt Image button in the left-side panel of the Web Interface.

Alt Image

Edit - Enables users to take action by editing and customizing the parameters to suit their requirements.

DataSense Parameters

1. Protocol Type Monitoring

DataSense monitors different network protocols to detect unauthorized usage on non-standard ports. If communication occurs on a port that is not listed under the corresponding protocol type, an alert is triggered.

Protocol Descriptions

amqpType - Detects AMQP communication occurring on unauthorized ports. If there is a communication of type AMQP on a port that is not part of the AMQP type, an alert will be sent to ensure secure message queuing.
dnsType - If DNS communication occurs on a port other than the standard port (53) specified in dnsType, an alert will be triggered.
ftpProtocol - If FTP communication occurs on a port other than the standard port (21) specified in ftpProtocol, an alert will be triggered to ensure secure file transfer.
httpProxy - Detects HTTP proxy communication on non-standard ports, preventing unauthorized web proxy usage. If there is a communication of type HTTP Proxy on a port that is not part of the HTTP Proxy type, an alert will be sent.
httpType - Ensures HTTP traffic is restricted to ports 80, 8008, 8080, and 8088, alerting on unauthorized access attempts. If there is a communication of type HTTP on a port that is not part of the HTTP Type, an alert will be sent.
kerberosType - Monitors Kerberos authentication protocol usage, alerting on non-standard port activity. If there is a communication of type Kerberos on a port that is not part of the kerberosType, an alert will be sent.
smtpHelloType - Detects SMTP Hello messages occurring outside of port 25 to mitigate unauthorized email traffic. If an SMTP Hello message is detected on a port not included in the predefined list of allowed smtpHelloType, an alert will be triggered.
smtpType - Monitors SMTP communication and triggers alerts if it occurs on ports other than port 25. If SMTP communication is detected on a port not included in the predefined list of allowed smtpType, an alert will be sent
sshType - Ensures SSH communication is restricted to port 22, flagging unauthorized access attempts. If an SSH communication is detected on a port not included in the predefined list of allowed sshType, an alert will be triggered.
tlsType - Detects TLS traffic occurring outside standard ports (443, 853), ensuring secure encrypted communication. If TLS traffic is detected on a port not included in the predefined list of allowed tlsType, an alert will be triggered.

Protocol Type	Allowed Ports
AMQP	5672, 5671
DNS	53
FTP	21
HTTP Proxy	3128
HTTP	80, 8008, 8080, 8088
Kerberos	88
SMTP Hello	25
SMTP	25
SSH	22
TLS	443, 853

2.Attack Detection Rules and Descriptions

AddressScanOnNetwork – Detects multiple TCP connection attempts from the same source IP to different destination ports within a short period. If the number of successful or unsuccessful connection attempts exceeds the defined attack_threshold within the attack_duration window (e.g., 50 attempts in 15 seconds), an alert will be triggered to identify potential reconnaissance activities.
BruteForceAttack – Flags repeated SSH connection attempts from multiple sources to the same destination IP and port, indicating potential unauthorized access attempts. If the number of SSH connection attempts exceeds the defined attack_threshold within the attack_duration window (e.g., 10 attempts in 180 seconds), an alert will be triggered.
GenericBruteForceAttack – Identifies multiple TCP connection attempts to the same destination IP and port from different sources, flagging potential brute-force login attempts. If the number of connection attempts exceeds the defined attack_threshold within the attack_duration window (e.g., 10 attempts in 180 seconds), an alert will be triggered.
PortsScan – Monitors excessive TCP connection attempts from a single source IP to different destination IPs and ports, indicating potential network scanning activity. If the number of successful or unsuccessful connection attempts exceeds the defined attack_threshold within the attack_duration window (e.g., 50 attempts in 15 seconds), an alert will be triggered.
DNSTunnelling – Detects potential DNS tunneling, where attackers misuse DNS queries for data exfiltration (180 seconds, 15 attempts threshold).
HostVulnerabilityScan – Identifies scanning activities targeting a single host to uncover vulnerabilities (60 seconds, 100 attempts threshold).
NetworkVulnerabilityScan – Detects wide-scale vulnerability scanning attempts across multiple hosts. If the number of TCP connection attempts from the same source IP to different destination IPs and/or source ports exceeds the defined attack_threshold within the attack_duration window (e.g., 100 attempts in 60 seconds), an alert will be triggered.

Attack Name	Duration (seconds)	Threshold (events)	Description
AddressScanOnNetwork	15	50	Detects multiple TCP connection attempts from the same source IP to different destination ports.
BruteForceAttack	180	10	Identifies repeated SSH connection attempts to the same destination IP and port from different sources.
GenericBruteForceAttack	180	10	Detects repeated TCP connection attempts to the same destination IP and port from different sources.
PortsScan	15	50	Flags multiple TCP connection attempts from the same source IP to different destination IPs and ports.
DNSTunnelling	180	15	Detects potential DNS tunneling activities.
HostVulnerabilityScan	60	100	Identifies vulnerability scanning targeting a specific host.
NetworkVulnerabilityScan	60	100	Detects network-wide vulnerability scanning attempts.