Cisco Cisco Firepower Management Center 2000
28-3
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Detecting Portscans
By itself, a portscan is not evidence of an attack. In fact, some of the portscanning techniques used by
attackers can also be employed by legitimate users on your network. Cisco’s portscan detector is
designed to help you determine which portscans might be malicious by detecting patterns of activity.
attackers can also be employed by legitimate users on your network. Cisco’s portscan detector is
designed to help you determine which portscans might be malicious by detecting patterns of activity.
Attackers are likely to use several methods to probe your network. Often they use different protocols to
draw out different responses from a target host, hoping that if one type of protocol is blocked, another
may be available. The following table describes the protocols you can activate in the portscan detector.
draw out different responses from a target host, hoping that if one type of protocol is blocked, another
may be available. The following table describes the protocols you can activate in the portscan detector.
Note
For events generated by the portscan connection detector, the protocol number is set to 255. Because
portscan does not have a specific protocol associated with it by default, the Internet Assigned Numbers
Authority (IANA) does not have a protocol number assigned to it. IANA designates 255 as a reserved
number, so that number is used in portscan events to indicate that there is not an associated protocol for
the event.
portscan does not have a specific protocol associated with it by default, the Internet Assigned Numbers
Authority (IANA) does not have a protocol number assigned to it. IANA designates 255 as a reserved
number, so that number is used in portscan events to indicate that there is not an associated protocol for
the event.
Portscans are generally divided into four types based on the number of targeted hosts, the number of
scanning hosts, and the number of ports that are scanned. The following table describes the kinds of
portscan activity you can detect.
scanning hosts, and the number of ports that are scanned. The following table describes the kinds of
portscan activity you can detect.
Table 28-2
Protocol Types
Protocol
Description
TCP
Detects TCP probes such as SYN scans, ACK scans, TCP connect() scans, and
scans with unusual flag combinations such as Xmas tree, FIN, and NULL
scans with unusual flag combinations such as Xmas tree, FIN, and NULL
UDP
Detects UDP probes such as zero-byte UDP packets
ICMP
Detects ICMP echo requests (pings)
IP
Detects IP protocol scans. These scans differ from TCP and UDP scans because
the attacker, instead of looking for open ports, is trying to discover which IP
protocols are supported on a target host.
the attacker, instead of looking for open ports, is trying to discover which IP
protocols are supported on a target host.