Symantec™ Security Gateways Reference Guide - Sawmill

IDS eventsProbes357PortscanBase Event:Details:Response:Affected:COUNTER_UDP_PORTSCANA UDP port scan was detected. A port scan is typically an information gathering or probingattempt. An attacker will use a scan to determine which network ports have programs listening onthem. They may also be able to identify the application and target operating system. Thisinformation is used to focus subsequent attacks.Port scans may vary in method and timing. An attacker often uses these variations in an attempt toevade or penetrate defensive measures such as security gateways and intrusion detection systems.UDP port scans are detected by monitoring patterns in UDP connection activity and correspondingICMP unreachable errors in a given network and observing activity characteristic of a port scan.Responses to UDP port scans typically include locating the source of the scan and identifying theoperator. Note that in many scans some of the source addresses are forged to make the locationeffort more difficult. If the origin of the scan appears to cross a security gateway or other perimeterfilter, responses may also include review and modification of that devices configuration to preventfuture successful scanning attempts.No specific targets.False Positives: It is possible for some legitimate network management tools which perform network probing to bedetected as port scans.PortsweepBase Event:Details:Response:Affected:COUNTER_TCP_PORTSWEEPA TCP port sweep has been detected. TCP port sweeps are used to determine if a particular port isopen on a set of machines and is used to focus subsequent attacks. A sweep is essentially a portscan of a set of machines (usually a range of IP addresses) looking for one particular service (forexample, a Web server).Responses to port sweeps typically include locating the source of the scan and identifying theoperator. Note that in many scans some of the source addresses are forged to make the locationeffort more difficult. If the origin of the scan appears to cross a security gateway or other perimeterfilter, responses may also include review and modification of that devices configuration to preventfuture successful scanning attempts.No specific targets.False Positives: It is possible for some legitimate network management tools to be detected as port sweeps.PortsweepBase Event:Details:Response:Affected:COUNTER_UDP_PORTSWEEPA UDP port sweep has been detected. UDP port sweeps are used to determine if a particular port isopen on a set of machines and is used to focus subsequent attacks. A sweep is essentially a portscan of a set of machines (usually a range of IP addresses) looking for one particular service (forexample, a DNS server).Responses to port sweeps typically include locating the source of the scan and identifying theoperator. Note that in many scans some of the source addresses are forged to make the locationeffort more difficult. If the origin of the scan appears to cross a firewall or other perimeter filter,responses may also include review and modification of that devices configuration to prevent futuresuccessful scanning attempts.No specific targets.False Positives: It is possible for some legitimate network management tools to be detected as port sweeps.