The IPS is outside the firewalls, so traffic hits that first. The scanner should detect TCP and UDP scans, but doesn't seem to see the source IP at all.

On the other hand, it does see some other IPs scanning at the same time, so possibly Nessus "spoofs" its source address... does anyone know?

Try to capture the traffic and confirm it is reaching the unit.

Also make sure there are no event action filters that might be affecting this.

It has to go through the IPS, there's no other physical path it can take.

The default action filters are all on and I've re-enabled the retired TCP/UDP scan filters.

Hello Gareth,

Can you let me know if this signatures are enabled:

3001/1

4003/0

3001/0

In fact have some fun with the entire link and check those signatures ( I have done the search and copy the link for you) , those should be able to detect that traffic ASAP

http://tools.cisco.com/security/center/ipshome.x?keyword=Port+Sweep&selectedCriteria=E&dateRange=All&searchType=Basic&Signature+ID=false&Signature+Name=false&Latest+Release+Date=false&Alarm+Severity=false&Release=false&Original+Release=true&Original+...

Remember to rate any of the helpful posts

Regards

Julio Carvajal

3001/1 doesn't exist, but the other 2 are both enabled.

For clarification purposes:

We are seeing events related to the scan, the issue is with the reported "attacker" addresses. Is that right?

Can you share one of the logs you mentioned on the reply for my first post in here?