Detection in the low sensitivity level
If you select the low sensitivity level, the system tracks negative responses for TCP, UDP, and ICMP initial packets. Only if the number of unsuccessful connections is more than the rejection threshold (10% in low sensitivity) and the port/IP protocol count is more than the configured threshold, is an alert triggered. This mitigates false positives.
Rejection threshold applies to low sensitivity (or equivalent custom settings) only; it does not apply to other sensitivity levels or their custom equivalents.
If there is a mix of allowed and blocked traffic, the number of rejected ports or hosts is calculated based on the difference between allowed and blocked traffic. In the case of only blocked traffic, the rejection threshold is not considered.
These criteria are not used for UDP/ICMP connections on interfaces configured in inline sets.
For example, in low sensitivity mode, the port count threshold is 120. Thus, the rejection count threshold is 10% of 120, which is 12. Following are examples of how the system would issues portscan events under this configuration:
-
An attacker initiates connections with 131 ports of the target and the target positively acknowledges all the initiations. Port count = 131, which is greater than the threshold, but a portscan alert is not triggered because there are no negative acknowledgements.
-
An attacker initiates connections with 131 ports of the target and the target positively acknowledges 121 initiations and negatively acknowledges 10 initiations. Port count = 131, which is greater than the threshold, but reject port count = 10, which is lesser than the rejection threshold. Therefore, a portscan alert is not triggered.
-
An attacker initiates connections with 134 ports of the target and the target positively acknowledges 121 initiations and negatively acknowledges 13 initiations. Port count = 134, which is greater than the threshold, reject port count = 13 is also higher than the rejection threshold. Therefore a portscan alert is triggered.