Viewing portscan alerts
Portscan activity is alerted through the existing portscan-specific intrusion events. Intrusion events with generator ID (GID) 122 and Snort ID from SIDs 1 through 27 are generated. For these events, the (port_scan) string is prepended in the event messages. The events include packet information along with packet data containing the statistics that triggered the alert.
To see portscan events, go to .
Portscan issues these events regardless of your instrusion policy or NAP configuration. Events are issued only when scanners exceed the number of configured ports/protocols/hosts for the various types of scan or sweep within the configured time interval for the associated protocol. A port scan from one host generates one event per set interval as soon as the threshold is met. If the same host initiates a new port scan during the same interval, no event is reported.
The following table shows the possible events.
|
Portscan type |
Intrusion event |
|---|---|
|
TCP Regular, Decoy, Distributed Scan |
122:1 (port_scan) TCP portscan |
|
TCP Portsweep |
122:3 (port_scan) TCP portsweep |
|
TCP Distributed Scan |
122:4 (port_scan) TCP distributed portscan |
|
IP Regular, Decoy, Distributed Protocol Scan n |
122:9 (port_scan) IP protocol scan |
|
IP Protocol Sweep |
122:11 (port_scan) IP protocol sweep |
|
IP Distributed Scan |
122:12 (port_scan) IP distributed protocol scan |
|
UDP Regular, Decoy, Distributed Scan |
122:17 (port_scan) UDP portscan |
|
UDP Portsweep |
122:19 (port_scan) UDP portsweep |
|
UDP Distributed Scan |
122:20 (port_scan) UDP distributed portscan |
|
ICMP Sweep |
122:25 (port_scan) ICMP sweep |
|
Portscan Block |
122:100 (port_scan) host blocked due to portscan activity |