Cisco Cisco Firepower Management Center 4000

Optionally, clear the 

 check box to discontinue monitoring of sessions picked up in 

mid-stream. 

Detection of mid-stream sessions helps to identify ACK scans, but may cause false events, 
particularly on networks with heavy traffic and dropped packets.

Set the portscan detection rules for each enabled portscan type to Generate Events; click 

at the top of the page to display rules associated with individual TCP policy options.

Note that although you can set portscan rules to Drop and Generate Events, the portscan detector does 
not drop packets, including in an inline deployment.

See 

 for information on setting rule states.

To identify the rules associated with different portscan types, see the 

table.

Click 

 to return to the Portscan Detection page.

Save your policy, continue editing, discard your changes, revert to the default configuration settings in 
the base policy, or exit while leaving your changes in the system cache. See the 

 table for more information.

Protection

When portscan detection is enabled, you must enable rules with generator ID (GID) 122 and a Snort® 
ID (SID) from among SIDs 1 through 27 to generate events for each enabled portscan type. See 

 for more information. The 

 column in the following table 

lists the SID for the preprocessor rule you must enable for each portscan type.

Portscan Detection TCP 

 

 
UDP 

 

 
ICMP

 

 
IP

Low

 

Medium or High

 

Low

 

Medium or High

 

Low

 

Medium or High

 

Low

 

Medium or High

1

 

5

 

17

 

21

 

Does not generate events.

 

Does not generate events.

 

9

 

13

Port Sweep

TCP

 

 
UDP

 

 
ICMP

 

 
IP

Low

 

Medium or High

 

Low

 

Medium or High

 

Low

 

Medium or High

 

Low

 

Medium or High

3, 27

 

7

 

19

 

23

 

25

 

26

 

11

 

15