The CyberSift Packet Capture Parser — SYN Requests Anomalies

This article is part of a series on the CyberSift Packet Capture Parser. In this article we’ll give an overview of one of our anomaly detection modules; the “SYN Requests” module

Monitoring SYN Requests is a good way of detecting several problems, which can be malicious or accidental:

• Misconfigurations (eg IP address / DNS typos , deprecated servers, etc…)
• Port Scanning techniques (post-exploitation lateral movement within your network)

These types of activities tend to have a very high SYN packet ratio (the ratio of SYN packets to all other packets in the TCP connection)

As with our other anomaly detection modules within the packet capture parser, this module also uses the 95th percentile rule to highlight those connections which have an abnormally high SYN packet ratio. You can see this in the screenshot below:

The abnormal connections are marked with a red base, and hovering over the bars gives information about the source and destination IP addresses that were involved. Clicking on a bar will redirect you to the IBM X-Force entry for that particular destination IP, to give an analyst further context about the addresses involved in this anomaly.