portscan: TCP Portsweep

Identification

Id	122-3
Alert	portscan: TCP Portsweep
Classification	unclassified

Trigger

This event is generated when the sfPortscan pre-processor detects network traffic that may consititute an attack.

A portscan is often the first stage in a targeted attack against a system. An attacker can use different portscanning techniques and tools to determine the target host operating system and application versions running on the host to determine the possible attack vectors against that host.

More information on this event can be found in the individual pre-processor documentation README.sfportscan in the docs directory of the snort source. Descriptions of different types of portscanning techniques can also be found in the same documentation, along with instructions and examples on how to tune and use the pre-processor.

Impact

Unknown. This is normally an indicator of possible network reconnaisance and may be the prelude to a targeted attack against the targeted systems.

Affected systems

All

False positives

While not necessarily a false positive, a security audit or penetration test will often employ the use of a portscan in the same way an attacker might use the technique. If this is the case, the pre-processor should be tuned to ignore the audit if so desired.

Scenario

An attacker often uses a portscanning technique to determine operating system type and version and also application versions to determine possible effective attack vectors that can be used against the target host.

Example

Corrective actions

• Check for other events targeting the host.
• Check the target host for signs of compromise.
• Apply any appropriate vendor supplied patches as appropriate.