Print Download Documentation Send Feedback

Previous

Next

Sweep Scan - Advanced

What can I do here?

Use this window to set the detection sensitivity.

Getting Here

Getting Here - Security Policies > Threat Prevention > Policy > Threat Tools > IPS Protections > Sweep Scan > Select a profile > Edit profile > Advanced

Understanding Sweep Scanning

In this window you can select one of three levels of port scan detection sensitivity. Each level represents the amount of inactive ports scanned during a certain amount of time. When port scanning is detected a log or alert is issued.

Port scanning is a method of intelligence gathering. Gathering information about computers is not in itself an attack, but the information can be used later to target and attack vulnerable computers.

A sweep scan tries to find out which hosts in the network have opened a specific port, in other words, the hosts that offer a specific service.

How does IPS Detect Sweep Scans?

The Sweep Scan feature does not physically block port scanning. IPS detects ports scans with one of three possible levels of detection sensitivity. When a port scan is detected a log or alert is issued. The source of the port scan is identified in the log. The administrator can choose to add the source IP to the quarantine list.

IPS can monitor and log the ports on which a sweep scan has been performed.

How To Block Port Scans

It is possible to block clients that IPS detects as performing port scanning, by configuring automatic SAM (Suspicious Activity Monitoring) alert rules on the Security Management server to block offending IPs. For information about the sam_alert command see the Command Line Interface (CLI) guide.

Note - An automatic sam_alert rule may expose legitimate hosts to a remote DoS attack. An attacker could spoof a port scan from a legitimate IP, which would then be blocked by the automatic SAM rule.

Detection Sensitivity

The sensitivity of the port scan detection can be changed. Predefined or a customized settings can be chosen. The predefined settings provide high, medium or low detection sensitivity. A high sensitivity catches even long, slow scans, but may give false positives for legitimate network activity. Low detection sensitivity, reduces the number of false positives, but may miss long, patient scans.