Portscan Event Generation
When portscan detection is enabled, you must enable rules with Generator ID (GID) 122 and a Snort ID (SID) from among SIDs 1 through 27 to detect the various portscans and portsweeps.
Note | For events generated by the portscan connection detector, the protocol number is set to 255. Because portscan does not have a specific protocol associated with it by default, the Internet Assigned Numbers Authority (IANA) does not have a protocol number assigned to it. IANA designates 255 as a reserved number, so that number is used in portscan events to indicate that there is not an associated protocol for the event. |
|
Portscan Type |
Protocol |
Sensitivity Level |
Preprocessor Rule SID |
|---|---|---|---|
|
Portscan Detection |
TCP UDP ICMP IP |
Low Medium or High Low Medium or High Low Medium or High Low Medium or High |
1 5 17 21 Does not generate events. Does not generate events. 9 13 |
|
Port Sweep |
TCP UDP ICMP IP |
Low Medium or High Low Medium or High Low Medium or High Low Medium or High |
3, 27 7 19 23 25 26 11 15 |
|
Decoy Portscan |
TCP UDP ICMP IP |
Low Medium or High Low Medium or High Low Medium or High Low Medium or High |
2 6 18 22 Does not generate events. Does not generate events. 10 14 |
Distributed Portscan |
TCP UDP ICMP IP |
Low Medium or High Low Medium or High Low Medium or High Low Medium or High |
4 8 20 24 Does not generate events. Does not generate events. 12 16 |