Port Scan Inspector Overview
Type |
Inspector (probe) |
Usage |
Global |
Instance Type |
Global |
Other Inspectors Required |
None |
Enabled |
false |
A port scan is a form of network reconnaissance that is often used by attackers as a prelude to an attack. In a port scan, an attacker sends packets designed to probe for network protocols and services on a targeted host. By examining the packets sent in response by a host, the attacker can determine which ports are open on the host and, either directly or by inference, which application protocols are running on these ports.
By itself, a port scan is not evidence of an attack. Legitimate users on your network may employ similar port scanning techniques used by attackers.
The port_scan
inspector detects four types of portscan and monitors connection attempts on TCP, UDP, ICMP, and IP protocols. By detecting
patterns of activity, the port_scan
inspector helps you determine which port scans might be malicious.
Protocol | Description |
---|---|
TCP | Detects TCP probes such as SYN scans, ACK scans, TCP connect() scans, and scans with unusual flag combinations such (Xmas tree, FIN, and NULL). |
UDP | Detects UDP probes such as zero-byte UDP packets. |
ICMP | Detects ICMP echo requests (pings). |
IP | Detects IP protocol scans. Instead of looking for open ports, Snort searches for IP protocols which are supported on a target host. |
Port scans are generally divided into four types based on the number of targeted hosts, the number of scanning hosts, and the number of ports that are scanned.
Type | Description |
---|---|
Portscan |
A one-to-one port scan in which an attacker uses one or a few hosts to scan multiple ports on a single target host. One-to-one port scans are characterized by:
A portscan detects TCP, UDP, and IP port scans. |
Portsweep |
A one-to-many port sweep in which an attacker uses one or a few hosts to scan a single port on multiple target hosts. Port sweeps are characterized by:
A portsweep detects TCP, UDP, ICMP, and IP port sweeps. |
Decoy Portscan |
A one-to-one port scan in which the attacker mixes spoofed source IP addresses with the actual scanning IP address. Decoy port scans are characterized by:
The decoy port scan detects TCP, UDP, and IP protocol port scans. |
Distributed Portscan |
A many-to-one port scan in which multiple hosts query a single host for open ports. Distributed port scans are characterized by:
The distributed portscan detects TCP, UDP, and IP protocol port scans. |
Port Scan Sensitivity Levels
The port_scan
inspector provides three default scan sensitivity levels.
-
default_low_port_scan
-
default_med_port_scan
-
default_high_port_scan
You can configure additional scan sensitivity levels with various filters:
-
scans
-
rejects
-
nets
-
ports
The port_scan
inspector learns about a probe by gathering negative responses from the probed hosts.
For example, when a web client uses TCP to connect to a web server, the client can assume that the web server listens on port
80.
However, when an attacker probes a server, the attacker does not know in advance if the server offers web services.
When the port_scan
inspector detects a negative response (ICMP
unreachable or TCP RST packet), it records the response as a potential portscan. The
process is more difficult when the targeted host is on the other side of a device
such as a firewall or router that filters negative responses. In this case, the port_scan
inspector
can generate filtered portscan events based on the sensitivity level that you select.