Configuring Portscan Detection

Note	This section applies to Snort 2 preprocessors. For information on Snort 3 inspectors, see https://www.cisco.com/go/snort3-inspectors.

The portscan detection configuration options allow you to finely tune how the portscan detector reports scan activity.

Procedure

Step 1

Choose Policies > Access Control, then click Network Analysis Policy or Policies > Access Control > Intrusion, then click Network Analysis Policies.

Note	If your custom user role limits access to the first path listed here, use the second path to access the policy.

Step 2

Click Snort 2 Version next to the policy you want to edit.

Step 3

Click Edit ( edit icon ) next to the policy you want to edit.

If View ( View button ) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 4

Click Settings.

Step 5

If Portscan Detection under Specific Threat Detection is disabled, click Enabled.

Step 6

Click Edit ( edit icon ) next to Portscan Detection.

Step 7

In the Protocol field, specify protocols to enable.

Note	You must ensure TCP stream processing is enabled to detect scans over TCP, and that UDP stream processing is enabled to detect scans over UDP.

Step 8

In the Scan Type field, specify portscan types you want to detect.

Step 9

Choose a level from the Sensitivity Level list; see Portscan Types, Protocols, and Filtered Sensitivity Levels.

Step 10

If you want to monitor specific hosts for signs of portscan activity, enter the host IP address in the Watch IP field.

You can specify a single IP address or address block, or a comma-separated lists of either or both. Leave the field blank to watch all network traffic.

Step 11

If you want to ignore hosts as scanners, enter the host IP address in the Ignore Scanners field.

You can specify a single IP address or address block, or a comma-separated lists of either or both.

Step 12

If you want to ignore hosts as targets of a scan, enter the host IP address in the Ignore Scanned field.

You can specify a single IP address or address block, or a comma-separated lists of either or both.

Tip	Use the Ignore Scanners and Ignore Scanned fields to indicate hosts on your network that are especially active. You may need to modify this list of hosts over time.

Step 13

If you want to discontinue monitoring of sessions picked up in mid-stream, clear the Detect Ack Scans check box.

Note	Detection of mid-stream sessions helps to identify ACK scans, but may cause false events, particularly on networks with heavy traffic and dropped packets.

Step 14

To save changes you made in this policy since the last policy commit, click Policy Information, then click Commit Changes.

If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy.

What to do next

If you want portscan detection to detect various portscans and portsweeps, enable rules 122:1 through 122:27. For more information, see Intrusion Rule States and Portscan Event Generation.
Deploy configuration changes.