Solved: Re: FMC preprocessor(GID:122) portscan detection question

HWAN · ‎05-10-2021

Hi Teams,

Preprocessor(GID:122) are rule about portscan detection.

These rules are disabled defaultly(Snort's base policyl:Maximum Detection also).

So, for catch attacker's portscan, I have to enable these rules manually.

Why are these rules disabled? I have no clue!

Because of FTD's performance?

Or false positive?

Thank you.

pmullen · ‎05-21-2021

Hello! Thank you for your query. My name is Patrick Mullen, and I wrote the very first portscan detector for snort, which I believe was one of the first in the world (at least that saw widespread use), back in the 90s. I mention this only to lend some credibility and context to what I'm about to say - portscan detection in today's threat landscape doesn't provide a terrible lot of value, and is prone to false positives in modern network application architectures.

The reason for the low return on investment is because these days, most attackers don't rely on portscans for discovery - they simply make the connections they care about. Additionally, if an attack is attempted, (hopefully) other rules related to the attack itself will detect and block the attack. This is the defense in depth portion.

As for false positives in modern network application architectures, clients make many connections to many devices in normal operations these days - grab html from one server, scripts from another, images from another, another server for user tracking, another for ad services, another for dynamic content, etc, and all this is before load balancing rears its ugly head.

With all this in mind, Talos does not enable the portscan detection in default configurations. Instead, we rely on detecting the actual attack and try to reduce noise on the alert console. As always, you are free to enable it if you feel it would be helpful in your environment. When I used to run portscan detection outside my home network, I did enjoy watching the occasional actor knock on my door and check to see if I left any windows open.

Thanks,

Patrick

View solution in original post

pmullen · ‎05-21-2021

Hello! Thank you for your query. My name is Patrick Mullen, and I wrote the very first portscan detector for snort, which I believe was one of the first in the world (at least that saw widespread use), back in the 90s. I mention this only to lend some credibility and context to what I'm about to say - portscan detection in today's threat landscape doesn't provide a terrible lot of value, and is prone to false positives in modern network application architectures.

The reason for the low return on investment is because these days, most attackers don't rely on portscans for discovery - they simply make the connections they care about. Additionally, if an attack is attempted, (hopefully) other rules related to the attack itself will detect and block the attack. This is the defense in depth portion.

As for false positives in modern network application architectures, clients make many connections to many devices in normal operations these days - grab html from one server, scripts from another, images from another, another server for user tracking, another for ad services, another for dynamic content, etc, and all this is before load balancing rears its ugly head.

With all this in mind, Talos does not enable the portscan detection in default configurations. Instead, we rely on detecting the actual attack and try to reduce noise on the alert console. As always, you are free to enable it if you feel it would be helpful in your environment. When I used to run portscan detection outside my home network, I did enjoy watching the occasional actor knock on my door and check to see if I left any windows open.

Thanks,

Patrick

HWAN · ‎05-23-2021

Hi Patrick Mullen,

Thanks for your reply.

So, Portscan is not threatening, right? It's just scan.

Cisco is concentrate threat more than scanning.

plus, Attackers are not rely on the scan(for real attack) unlike before.

I appreciate your insight!