Cisco Cisco Firepower Management Center 4000
28-7
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Detecting Portscans
Step 11
Optionally, clear the
Detect Ack Scans
check box to discontinue monitoring of sessions picked up in
mid-stream.
Note
Detection of mid-stream sessions helps to identify ACK scans, but may cause false events,
particularly on networks with heavy traffic and dropped packets.
particularly on networks with heavy traffic and dropped packets.
Step 12
Set the portscan detection rules for each enabled portscan type to Generate Events; click
Configure Rules
for Portscan Detection
at the top of the page to display rules associated with individual TCP policy options.
Note that although you can set portscan rules to Drop and Generate Events, the portscan detector does
not drop packets, including in an inline deployment.
not drop packets, including in an inline deployment.
See
for information on setting rule states.
To identify the rules associated with different portscan types, see the
table.
Click
Back
to return to the Portscan Detection page.
Step 13
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Understanding Portscan Events
License:
Protection
When portscan detection is enabled, you must enable rules with generator ID (GID) 122 and a Snort®
ID (SID) from among SIDs 1 through 27 to generate events for each enabled portscan type. See
ID (SID) from among SIDs 1 through 27 to generate events for each enabled portscan type. See
for more information. The
Preprocessor Rule SID
column in the following table
lists the SID for the preprocessor rule you must enable for each portscan type.
Table 28-5
Portscan Detection SIDs (GID:122)
Portscan Type
Protocol:
Sensitivity Level
Preprocessor Rule SID
Portscan Detection TCP
UDP
ICMP
IP
Low
Medium or High
Low
Medium or High
Low
Medium or High
Low
Medium or High
1
5
17
21
Does not generate events.
Does not generate events.
9
13
Port Sweep
TCP
UDP
ICMP
IP
Low
Medium or High
Low
Medium or High
Low
Medium or High
Low
Medium or High
3, 27
7
19
23
25
26
11
15