topic Did you remember to fill in a in Network Security

Firepower portscan detection tuning

v.kolosov — Sun, 10 Mar 2019 13:43:23 GMT

I have ASA with Firepower module controled by Firepower Management Center. ASA protect some network segments from other WAN. I have enabled signature PSNG_TCP_PORTSCAN and PSNG_TCP_PORTSWEEP. Portscan Detection Sensitivity Level is Low (or Medium).
I get hundreds of events PSNG_TCP_PORTSCAN (122:1:1) where my hosts try to establish 5 connections with no result to different port:
Priority Count: 5
Connection Count: 5
IP Count: 1
Port/Proto Count: 5
Can I change count of ports/host by default, which generate this type of signature to 30-50 value (typical host/port scanner scans more then 5 port I think)?

Did you remember to fill in a

Dennis Perto — Mon, 28 Nov 2016 19:02:25 GMT

Did you remember to fill in a "Watch IP" or range?

You can always add these hosts to the "Ignore scanners" list.

Can you explain me what do

v.kolosov — Tue, 29 Nov 2016 05:01:30 GMT

Can you explain me what do "Watch IP" field? By documentation: "If you want to monitor specific hosts for signs of portscan activity, enter the host IP address in the Watch IP field", but by default all host (whitch hit in Access control rule with Intrusion Prevention policy) in my network monitored with portscan detection, or not?

I remember fields "Ignore scanners/scanned" but they are my "last resort". I will have to add so large number of hosts, that I find it easier to disable the signature at all.

I'm not sure that you are

Dennis Perto — Tue, 29 Nov 2016 06:18:49 GMT

I'm not sure that you are right about your assumptions with hitting the Access Control Policy.

These settings are in the Network Analysis Policy, so I figure that they are global for all your $HOME_NET hosts, both ingress and egress.

I would imagine that you only need to know when your hosts are being scanned from the outside. 🙂

You are right :)

v.kolosov — Tue, 29 Nov 2016 06:30:32 GMT

You are right 🙂

But "outside" for me is a global corporate network with a large number of legitimate users who connect to servers on LAN network. One client can establish up to 20 connections to 10 servers simultaneously. And such behavior is considered a violation by Firepower.
Maybe I can customize anyway Portscan detector to Alert when the user to establish 50 simultaneous connection , instead of 5-10, as now?

You might have a look at the

Dennis Perto — Tue, 29 Nov 2016 06:41:05 GMT

You might have a look at the Rate-Based Attack Prevention instead of the port scan detection.

A combination of those might be what you need. 🙂

Ok, I will try this. Thank

v.kolosov — Wed, 30 Nov 2016 05:03:53 GMT

Ok, I will try this. Thank you!