Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2216
Views
0
Helpful
2
Replies

Portscan detection not triggering

hoffa2000
Level 3
Level 3

‎08-17-2017 12:05 AM - edited ‎03-12-2019 06:29 AM

Hi all

I have a case where I've enabled portscan detection in the network analysis policy for my ASAs with Firepower 6.2 and set the IPS rules to Generate Event but none is generated when running either NMAP och other scanning software.

Seems like I'm missing something. Any thoughts?

Regards

Fredrik

2 people had this problem
Labels:
0 Helpful
2 Replies 2

Dinesh Verma
Cisco Employee
Cisco Employee

‎08-17-2017 07:17 AM

Due to bug CSCze87645, portscan processor behavior will be unexpected. It may trigger an intrusion event when all the packets go through single snort instance, and it may not trigger if packets are going through different snort instances. It doesn't detect all the portscan if there are multiple Detection Resources.

It is a known bug that the portscan preprocessor does not work as expected when a device has more than one snort instance. Since a sensor has multiple instances of snort running, the portscan traffic will be load balanced across the instances and it's not possible for us to accurately detect portscans because of this.

Hope this helps.

Regards,

Dv

0 Helpful

N3t W0rK3r
Level 3
Level 3
In response to Dinesh Verma

‎04-09-2019 06:42 AM

Is this bug ever going to get addressed by Cisco?  If so when?

As it is now, portscan is detecting all kinds of innocuous events instead of the precise type of activity it was designed to detect.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card