From aldeid
Jump to navigation Jump to search

portscan: TCP Portscan


Id 122-1
Alert portscan: TCP Portscan
Classification unclassified


This event is generated when the sfPortscan pre-processor detects network traffic that may consititute an attack.

A portscan is often the first stage in a targeted attack against a system. An attacker can use different portscanning techniques and tools to determine the target host operating system and application versions running on the host to determine the possible attack vectors against that host.

More information on this event can be found in the individual pre-processor documentation README.sfportscan in the docs directory of the snort source. Descriptions of different types of portscanning techniques can also be found in the same documentation, along with instructions and examples on how to tune and use the pre-processor.


Unknown. This is normally an indicator of possible network reconnaisance and may be the prelude to a targeted attack against the targeted systems.

Affected systems

All connected network gears

False positives

While not necessarily a false positive, a security audit or penetration test will often employ the use of a portscan in the same way an attacker might use the technique. If this is the case, the pre-processor should be tuned to ignore the audit if so desired.


An attacker wants to first check open ports on a computer. He/she scans the remote host with a specific tool like Nmap.


This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Corrective actions

  • Check for other events targeting the host.
  • Check the target host for signs of compromise.
  • Apply any appropriate vendor supplied patches as appropriate.