Portscan attack (Port_Scan)

About this signature or vulnerability

IBM Security Host Protection for Servers (Unix), RealSecure Server Sensor:

RealSecure has detected a port scan occurring on your network. Standard port scans, as well as stealth scans are detected by this signature. Based on parameters configured in the Policy Editor, this signature triggers when a specified number of unique ports have been scanned in a specified period of time (Delta). The configurable parameters are Ports, Delta, DeltaReset, and MaxMemSize.

Configurable Parameters:

On typical networks, the default settings for these parameters do not need to be changed. The Ports and Delta values determine the sensitivity and the speed at which a port scan can be detected. For increased sensitivity, the Ports value should be low, and the Delta value should be high; however, this increases the possibility of false positives caused by normal network activity. In addition, if the Delta value is set very high to allow a time-delayed port scan to be detected, it can consume a large amount of memory.

By default, the DeltaReset option is enabled. When DeltaReset is enabled, the time period (Delta) is reset each time the specified number of ports have been scanned. When DeltaReset is disabled, this signature triggers only once during the specified time period, even if many different ports are scanned during that time.

The MaxMemSize parameter is used to limit the amount of memory used by the Port_Scan signature. By default, the setting for MaxMemSize is 512 kilobytes. The default setting can be changed in the advanced properties of Port_Scan signature in the Policy Editor.

Caution: Setting the MaxMemSize too high may cause your network sensor to crash.

For more information about changing the configurable parameters of a signature, see Changing Advanced Properties.


False positives

IBM Security Host Protection for Servers (Unix), RealSecure Server Sensor: There are many legitimate applications (e.g., FTP) that can appear to be a port scan. Therefore, you should investigate the initial events to determine their legitimacy. Based on your findings, this attack signature can be adjusted to eliminate false positives caused by normal network activity.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

IBM Security Host Protection for Servers (Unix): 2.2.2, RealSecure Server Sensor: 5.5

Systems affected

Various vendors Any application

Type

Pre-attack Probe

Vulnerability description

A portscan is an attempt by an attacker to determine what services are running on a system by probing each port for a response. An attacker may use a portscan to gather information that could be useful for future attacks.

How to remove this vulnerability

Identify the source of the port scan. Correlate the source of the port scan with the services that are running on the target host. Identify the source and intent of the scan. You may want to take further precautions to protect the scanned devices. Check the access logs for indications of unauthorized access. If you do detect indications of unauthorized access, you should consider the system compromised and take appropriate action.

References

ISS X-Force
Portscan attack
http://www.iss.net/security_center/static/633.php