I have a case where I've enabled portscan detection in the network analysis policy for my ASAs with Firepower 6.2 and set the IPS rules to Generate Event but none is generated when running either NMAP och other scanning software.
Seems like I'm missing something. Any thoughts?
Due to bug CSCze87645, portscan processor behavior will be unexpected. It may trigger an intrusion event when all the packets go through single snort instance, and it may not trigger if packets are going through different snort instances. It doesn't detect all the portscan if there are multiple Detection Resources.
It is a known bug that the portscan preprocessor does not work as expected when a device has more than one snort instance. Since a sensor has multiple instances of snort running, the portscan traffic will be load balanced across the instances and it's not possible for us to accurately detect portscans because of this.
Hope this helps.
Is this bug ever going to get addressed by Cisco? If so when?
As it is now, portscan is detecting all kinds of innocuous events instead of the precise type of activity it was designed to detect.