cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
974
Views
0
Helpful
2
Replies
Participant

Portscan detection not triggering

Hi all

I have a case where I've enabled portscan detection in the network analysis policy for my ASAs with Firepower 6.2 and set the IPS rules to Generate Event but none is generated when running either NMAP och other scanning software.

Seems like I'm missing something. Any thoughts?

Regards

Fredrik

2 REPLIES 2
Dv Cisco Employee
Cisco Employee

Due to bug CSCze87645,

Due to bug CSCze87645, portscan processor behavior will be unexpected. It may trigger an intrusion event when all the packets go through single snort instance, and it may not trigger if packets are going through different snort instances. It doesn't detect all the portscan if there are multiple Detection Resources.

It is a known bug that the portscan preprocessor does not work as expected when a device has more than one snort instance. Since a sensor has multiple instances of snort running, the portscan traffic will be load balanced across the instances and it's not possible for us to accurately detect portscans because of this.

Hope this helps.

Regards,

Dv

Highlighted
Participant

Re: Due to bug CSCze87645,

Is this bug ever going to get addressed by Cisco?  If so when?

As it is now, portscan is detecting all kinds of innocuous events instead of the precise type of activity it was designed to detect.