Configure scan detection settings for engines
Before an attack, attackers might scan the network for open ports. When you enable scan detection on an engine, the number of connections or connection attempts within a time window is counted. If the number of events reaches the threshold set in the scan detection options, an alert is generated.
For more details about the product and how to configure features, click Help or press F1.
Steps
- Right-click an engine element, then select Edit <element type>.
- In the navigation pane on the left, browse to .
- Configure the settings.
- Click Save and Refresh to transfer the configuration changes.
Engine Editor – Advanced Settings – Scan Detection
Use this branch to change scan detection settings for the engine. You can use scan detection to count the number of connections or connection attempts within a time window and set a threshold after which an alert is generated.
Option | Definition |
---|---|
Scan Detection Mode | When you enable scan detection, the number of connections or connection attempts within a time window is counted.
|
Create a log entry when the system detects section |
Allows you to set thresholds for creating log entries. When the specified number of events for the specified time period is exceeded, log entries are created. The following options are available for each protocol:
|
Log Level | Specifies the log level for the log entries.
|
Alert | When the Log Level is set to Alert, specifies the Alert that is sent. |
Severity | When the Log Level is set to Alert, allows you to override the severity defined in the Alert element. |
Set to Default | Returns Scan Detection changes to the default settings. |