Cisco Cisco Firepower Management Center 4000

Page of 1844
 
28-3
FireSIGHT System User Guide
 
Chapter 28      Detecting Specific Threats
  Detecting Portscans
By itself, a portscan is not evidence of an attack. In fact, some of the portscanning techniques used by 
attackers can also be employed by legitimate users on your network. Cisco’s portscan detector is 
designed to help you determine which portscans might be malicious by detecting patterns of activity. 
Attackers are likely to use several methods to probe your network. Often they use different protocols to 
draw out different responses from a target host, hoping that if one type of protocol is blocked, another 
may be available. The following table describes the protocols you can activate in the portscan detector.
Note
For events generated by the portscan connection detector, the protocol number is set to 255. Because 
portscan does not have a specific protocol associated with it by default, the Internet Assigned Numbers 
Authority (IANA) does not have a protocol number assigned to it. IANA designates 255 as a reserved 
number, so that number is used in portscan events to indicate that there is not an associated protocol for 
the event.
Portscans are generally divided into four types based on the number of targeted hosts, the number of 
scanning hosts, and the number of ports that are scanned. The following table describes the kinds of 
portscan activity you can detect.
Table 28-2
Protocol Types 
Protocol
Description
TCP
Detects TCP probes such as SYN scans, ACK scans, TCP connect() scans, and 
scans with unusual flag combinations such as Xmas tree, FIN, and NULL
UDP
Detects UDP probes such as zero-byte UDP packets
ICMP
Detects ICMP echo requests (pings)
IP
Detects IP protocol scans. These scans differ from TCP and UDP scans because 
the attacker, instead of looking for open ports, is trying to discover which IP 
protocols are supported on a target host.