Cisco Cisco Firepower Management Center 4000
28-4
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Detecting Portscans
The information that the portscan detector learns about a probe is largely based on seeing negative
responses from the probed hosts. For example, when a web client tries to connect to a web server, the
client uses port 80/tcp and the server can be counted on to have that port open. However, when an
attacker probes a server, the attacker does not know in advance if it offers web services. When the
portscan detector sees a negative response (that is, an ICMP unreachable or TCP RST packet), it records
the response as a potential portscan. The process is more difficult when the targeted host is on the other
side of a device such as a firewall or router that filters negative responses. In this case, the portscan
detector can generate filtered portscan events based on the sensitivity level that you select.
responses from the probed hosts. For example, when a web client tries to connect to a web server, the
client uses port 80/tcp and the server can be counted on to have that port open. However, when an
attacker probes a server, the attacker does not know in advance if it offers web services. When the
portscan detector sees a negative response (that is, an ICMP unreachable or TCP RST packet), it records
the response as a potential portscan. The process is more difficult when the targeted host is on the other
side of a device such as a firewall or router that filters negative responses. In this case, the portscan
detector can generate filtered portscan events based on the sensitivity level that you select.
The following table describes the three different sensitivity levels you can choose from.
Table 28-3
Portscan Types
Type
Description
Portscan Detection A one-to-one portscan in which an attacker uses one or a few hosts to scan
multiple ports on a single target host.
One-to-one portscans are characterized by:
•
a low number of scanning hosts
•
a single host that is scanned
•
a high number of ports scanned
This option detects TCP, UDP, and IP portscans.
Port Sweep
A one-to-many portsweep in which an attacker uses one or a few hosts to scan a
single port on multiple target hosts.
single port on multiple target hosts.
Portsweeps are characterized by:
•
a low number of scanning hosts
•
a high number of scanned hosts
•
a low number of unique ports scanned
This option detects TCP, UDP, ICMP, and IP portsweeps.
Decoy Portscan
A one-to-one portscan in which the attacker mixes spoofed source IP addresses
with the actual scanning IP address.
with the actual scanning IP address.
Decoy portscans are characterized by:
•
a high number of scanning hosts
•
a low number of ports that are scanned only once
•
a single (or a low number of) scanned hosts
The decoy portscan option detects TCP, UDP, and IP protocol portscans.
Distributed
Portscan
Portscan
A many-to-one portscan in which multiple hosts query a single host for open
ports.
ports.
Distributed portscans are characterized by:
•
a high number of scanning hosts
•
a high number of ports that are scanned only once
•
a single (or a low number of) scanned hosts
The distributed portscan option detects TCP, UDP, and IP protocol portscans.