Cisco Cisco Firepower Management Center 4000
28-6
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Detecting Portscans
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
Portscan Detection
under Specific Threat Detection is
enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
The Portscan Detection page appears. A message at the bottom of the page identifies the intrusion
policy layer that contains the configuration. See
policy layer that contains the configuration. See
for
more information.
Step 5
In the
Protocol
field, specify which of the following protocols you want to enable:
•
TCP
•
UDP
•
ICMP
•
IP
Use Ctrl or Shift while clicking to select multiple protocols or clear individual protocols. See the
table for more information.
Note that you must ensure that TCP stream processing is enabled to detect scans over TCP, and that UDP
stream processing is enabled to detect scans over UDP.
stream processing is enabled to detect scans over UDP.
Step 6
In the
Scan Type
field, specify which of the following portscans you want to detect:
•
Portscan Detection
•
Port Sweep
•
Decoy Portscan
•
Distributed Portscan
Use Ctrl or Shift while clicking to select or deselect multiple protocols. See the
table for
more information.
Step 7
In the
Sensitivity Level
list, select the level you want to use: low, medium, or high.
See the
table for more information.
Step 8
Optionally, in the
Watch IP
field, specify which host you want to watch for signs of portscan activity, or
leave the field blank to watch all network traffic.
You can specify a single IP address or address block, or a comma-separated lists of either or both. For
information on using IPv4 and IPv6 address blocks in the FireSIGHT System, see
information on using IPv4 and IPv6 address blocks in the FireSIGHT System, see
.
Step 9
Optionally, in the
Ignore Scanners
field, specify which hosts you want to ignore as scanners. Use this field
to indicate hosts on your network that are especially active. You may need to modify this list of hosts
over time.
over time.
You can specify a single IP address or address block, or a comma-separated lists of either or both. For
information on using IPv4 and IPv6 address blocks in the FireSIGHT System, see
information on using IPv4 and IPv6 address blocks in the FireSIGHT System, see
.
Step 10
Optionally, in the
Ignore Scanned
field, specify which hosts you want to ignore as the target of a scan. Use
this field to indicate hosts on your network that are especially active. You may need to modify this list
of hosts over time.
of hosts over time.
You can specify a single IP address or address block, or a comma-separated lists of either or both. For
information on using IPv4 and IPv6 address blocks in the FireSIGHT System, see
information on using IPv4 and IPv6 address blocks in the FireSIGHT System, see
.