Portscan Event Packet View
When you enable the accompanying preprocessor rules, the portscan detector generates intrusion events that you can view just as you would any other intrusion event. However, the information presented on the packet view is different from the other types of intrusion events.
Begin by using the intrusion event views to drill down to the packet view for a portscan event. Note that you cannot download a portscan packet because single portscan events are based on multiple packets; however, the portscan packet view provides all usable packet information.
For any IP address, you can click the address to view the context menu and select whois to perform a lookup on the IP address or View Host Profile to view the host profile for that host.
|
Information |
Description |
|---|---|
|
Device |
The device that detected the event. |
|
Time |
The time when the event occurred. |
|
Message |
The event message generated by the preprocessor. |
|
Source IP |
The IP address of the scanning host. |
|
Destination IP |
The IP address of the scanned host. |
|
Priority Count |
The number of negative responses (for example, TCP RSTs and ICMP unreachables) from the scanned host. The higher the number of negative responses, the higher the priority count. |
|
Connection Count |
The number of active connections on the hosts. This value is more accurate for connection-based scans such as TCP and IP. |
|
IP Count |
The number of times that the IP addresses that contact the scanned host changes. For example, if the first IP address is 10.1.1.1, the second IP is 10.1.1.2, and the third IP is 10.1.1.1, then the IP count is 3. This number is less accurate for active hosts such as proxies and DNS servers. |
|
Scanner/Scanned IP Range |
The range of IP addresses for the scanned hosts or the scanning hosts, depending on the type of scan. For portsweeps, this field shows the IP range of scanned hosts. For portscans, this shows the IP range of the scanning hosts. |
|
Port/Proto Count |
For TCP and UDP portscans, the number of times that the port being scanned changes. For example, if the first port scanned is 80, the second port scanned is 8080, and the third port scanned is again 80, then the port count is 3. For IP protocol portscans, the number of times that the protocol being used to connect to the scanned host changes. |
|
Port/Proto Range |
For TCP and UDP portscans, the range of the ports that were scanned. For IP protocol portscans, the range of IP protocol numbers that were used to attempt to connect to the scanned host. |
|
Open Ports |
The TCP ports that were open on the scanned host. This field appears only when the portscan detects one or more open ports. |