cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Enabling TCP Port Scan alert

Jump to solution

Hey guys

Im using NSP Sensor M1450

To test alerts i did tcp port scan couple of times but there were no success

How can i enable tcp port scan to receive alerts in Dashboards

Thanks, best regards

1 Solution

Accepted Solutions
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 8

Re: Enabling TCP Port Scan alert

Jump to solution

Hi Benjamin,

Yes, you're in the right place.

To find out which policy you need to edit go to Policy > My Company > Intrusion Prevention > Policy Manager

You will see a list of your sensors and the policy applied to each interface.

Which attack you need to enable will depend on how you are running your port scan, are you using a software tool and does it have different options for port scans?

As per @jvdavis456 above, there is a threshold set for each attack, you can see it by selecting an attack and double clicking to edit it, look at the settings, you may need to lower this value or increase the amount of scans you're running to meet generate alerts.

After you enable the attack you will need to 'Deploy Changes' to the sensors to make it take effect.

Peter

View solution in original post

7 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 8

Re: Enabling TCP Port Scan alert

Jump to solution

Hi Benjamin,

Look at the policy you have applied to the IDS device in Policy > Intrusion Detection > IPS Policy

Edit the policy and search for 'port scan'

Make sure the attack is enabled and check the threshold value for the attack.

Also the RTTA only displays High and Medium severity alerts, so if it's set to a lower severity use the Historical TA to search for it.

Peter

Highlighted

Re: Enabling TCP Port Scan alert

Jump to solution

Hey Peter

I got this Policies in "port scan" search

which one i should enable ? and is that the correct path ? (/My Company > Intrusion Prevention > IPS Policies)

tcp port scan.JPG

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 8

Re: Enabling TCP Port Scan alert

Jump to solution

Hi Benjamin,

Yes, you're in the right place.

To find out which policy you need to edit go to Policy > My Company > Intrusion Prevention > Policy Manager

You will see a list of your sensors and the policy applied to each interface.

Which attack you need to enable will depend on how you are running your port scan, are you using a software tool and does it have different options for port scans?

As per @jvdavis456 above, there is a threshold set for each attack, you can see it by selecting an attack and double clicking to edit it, look at the settings, you may need to lower this value or increase the amount of scans you're running to meet generate alerts.

After you enable the attack you will need to 'Deploy Changes' to the sensors to make it take effect.

Peter

View solution in original post

Highlighted

Re: Enabling TCP Port Scan alert

Jump to solution

Im running Nmap for scanning

Which i should enable to trigger the alert?

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 8

Re: Enabling TCP Port Scan alert

Jump to solution

Hi Benjamin,

According to the Nmap documentation here;

Port Scanning Techniques

A SYN scan is the default type.

Peter

Highlighted

Re: Enabling TCP Port Scan alert

Jump to solution

Okay, the test was successful by enabling all Policies for "Port Scan"

Then i ran Nmap on 2 IP host's one is located in DMZ and another one in Corporate Network

The alert triggered for DMZ host not for internal host

thanks,

Highlighted

Re: Enabling TCP Port Scan alert

Jump to solution

Benjamin,

If you still aren't seeing the alerts after following Peter's suggestions verify the threshold on the TCP Port Scan Attack Definition is sensitive enough to detect the scan volume you are sending.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community