Port Scan Lab
Detection lab for identifying Nmap-style port scan and reconnaissance activity from firewall logs.
Parses firewall logs, groups connection attempts by source IP, and detects port scanning patterns: wide port sweeps, mixed-service reconnaissance, and rapid scan windows. Outputs scan findings, per-source risk tables, a Markdown timeline report, and analyst triage handoff.
Catalog entry only — a full write-up lands closer to release.
Related across catalogs
- Beaconing Traffic DetectorSecurity project· Demo ready
Detects periodic outbound callback (C2 beacon) behavior from timestamped network logs by scoring inter-arrival timing consistency per source/destination pair.
- Web Attack DetectionSecurity project· Demo ready
Web log detection lab — flags SQL injection, XSS, suspicious user agents, scanner activity, and risk-scored request summaries from nginx access logs.
- Exploitation VisibilitySecurity project· Demo ready
Detection engineering lab — compares expected attack signals against collected logs to surface visibility gaps and prioritize new detection rules.
- Network BaselineSecurity project· Demo ready
Builds a normal traffic baseline from a sample of network logs, then flags unusual source IPs, destination ports, and connection volume spikes in observed traffic.
- Rule Tuning LabSecurity project· Demo ready
Detection tuning lab — measures false-positive rate, precision, and noise grade per detection rule, then suggests tuning improvements based on labeled log samples.
Want a heads-up when Port Scan Lab releases?