Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSA rule for Port Sweep

I have a Network Shield rule that has "TCP/UDP port scan" checked, communicating with all IP Addresses using @local. It was generating a lot of junk events like this:

A portscan was detected Reason: ICMP unreachable. ICMP: 10.1.1.101->10.1.1.102 type destination_unreachable/03. The operation was allowed by a rule (rule defaults).

If I run Superscan against a test machine, I just get 1 event:

A portscan was detected Reason: TCP reset packet detected. IP: ->, protocol . The operation was allowed by a rule (rule defaults).

I know that there is a bug in 4.5.1.654 causing the event to not include IP addresses, but its the event itself, or lack of, I'm concerned with.

I would like to create a more robust rule... something that gives me a clear indication of a port scan in progress.

221
Views
0
Helpful
0
Replies