Cisco Cisco Firepower Management Center 4000
28-8
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Detecting Portscans
When you enable the accompanying preprocessor rules, the portscan detector generates intrusion events
that you can view just as you would any other intrusion event. However, the information presented on
the packet view is different from the other types of intrusion events. This section describes the fields that
appear on the packet view for a portscan event and how you can use that information to understand the
types of probes that occur on your network.
that you can view just as you would any other intrusion event. However, the information presented on
the packet view is different from the other types of intrusion events. This section describes the fields that
appear on the packet view for a portscan event and how you can use that information to understand the
types of probes that occur on your network.
Begin by using the intrusion event views to drill down to the packet view for a portscan event. You can
follow the procedures in
follow the procedures in
.
Note that you cannot download a portscan packet because single portscan events are based on multiple
packets; however, the portscan packet view provides all usable packet information.
packets; however, the portscan packet view provides all usable packet information.
Note
For events generated by the portscan connection detector, the protocol number is set to 255. Because
portscan does not have a specific protocol associated with it by default, the Internet Assigned Numbers
Authority (IANA) does not have a protocol number assigned to it. IANA designates 255 as a reserved
number, so that number is used in portscan events to indicate that there is not an associated protocol for
the event.
portscan does not have a specific protocol associated with it by default, the Internet Assigned Numbers
Authority (IANA) does not have a protocol number assigned to it. IANA designates 255 as a reserved
number, so that number is used in portscan events to indicate that there is not an associated protocol for
the event.
The following table describes the information provided in the packet view for portscan events. For any
IP address, you can click the address to view the context menu and select
IP address, you can click the address to view the context menu and select
whois
to perform a lookup on
the IP address or
View Host Profile
to view the host profile for that host.
Decoy Portscan
TCP
UDP
ICMP
IP
Low
Medium or High
Low
Medium or High
Low
Medium or High
Low
Medium or High
2
6
18
22
Does not generate events.
Does not generate events.
10
14
Distributed
Portscan
Portscan
TCP
UDP
ICMP
IP
Low
Medium or High
Low
Medium or High
Low
Medium or High
Low
Medium or High
4
8
20
24
Does not generate events.
Does not generate events.
12
16
Table 28-5
Portscan Detection SIDs (GID:122) (continued)
Portscan Type
Protocol:
Sensitivity Level
Preprocessor Rule SID
Table 28-6
Portscan Packet View
Information
Description
Device
The device that detected the event.
Time
The time when the event occurred.
Message
The event message generated by the preprocessor.
Source IP
The IP address of the scanning host.
Destination IP
The IP address of the scanned host.