Cisco Cisco Firepower Management Center 4000
28-5
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Detecting Portscans
See the following sections for more information:
•
•
Configuring Portscan Detection
License:
Protection
The portscan detection configuration options allow you to finely tune how the portscan detector reports
scan activity.
scan activity.
Note that when portscan detection is enabled, you must enable rules on the Rules page with generator
ID (GID) 122 for enabled portscan types for the portscan detector to generate portscan events. See
ID (GID) 122 for enabled portscan types for the portscan detector to generate portscan events. See
and the
To configure portscan detection:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies> Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
Table 28-4
Sensitivity Levels
Level
Description
Low
Detects only negative responses from targeted hosts. Select this sensitivity
level to suppress false positives, but keep in mind that some types of
portscans (slow scans, filtered scans) might be missed.
level to suppress false positives, but keep in mind that some types of
portscans (slow scans, filtered scans) might be missed.
This level uses the shortest time window for portscan detection.
Medium
Detects portscans based on the number of connections to a host, which
means that you can detect filtered portscans. However, very active hosts such
as network address translators and proxies may generate false positives.
means that you can detect filtered portscans. However, very active hosts such
as network address translators and proxies may generate false positives.
Note that you can add the IP addresses of these active hosts to the Ignore
Scanned field to mitigate this type of false positive.
Scanned field to mitigate this type of false positive.
This level uses a longer time window for portscan detection.
High
Detects portscans based on a time window, which means that you can detect
time-based portscans. However, if you use this option, you should be careful
to tune the detector over time by specifying IP addresses in the Ignore
Scanned and Ignore Scanner fields.
time-based portscans. However, if you use this option, you should be careful
to tune the detector over time by specifying IP addresses in the Ignore
Scanned and Ignore Scanner fields.
This level uses a much longer time window for portscan detection.