Detecting Anomalies
Spot malicious traffic.
Normal vs Abnormal
Detecting anomalies means spotting traffic that deviates from a network's baseline. You cannot recognize abnormal until you know normal.
This lesson covers the common patterns that betray malicious activity.
Port Scans
A port scan appears as one source touching many ports on a host, often with SYN packets that get RST replies.
A burst of SYNs across sequential ports from a single IP is a classic signature.
10.0.0.9 -> host:22 SYN -> RST
10.0.0.9 -> host:23 SYN -> RST
10.0.0.9 -> host:80 SYN -> SYN-ACK
(one src, many ports = scan)All lessons in this course
- Capturing Packets
- Reading Protocols
- Detecting Anomalies
- Extracting Artifacts