Configure scan detection settings

Before an attack, attackers might scan the network for open ports. When you enable scan detection on an engine, the number of connections or connection attempts within a time window is counted. If the number of events reaches the threshold set in the scan detection options, an alert is generated.

Note: If scan detection is enabled or set to Off in the Engine Editor, you can override the scan detection mode in Access rules. If scan detection is set to Disabled in the Engine Editor, you cannot enable scan detection in an Access rule.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click an engine element, then select Edit <element type>.
  2. In the navigation pane on the left, browse to Advanced Settings > Scan Detection.
  3. Configure the settings.
  4. Click Save and Refresh to transfer the configuration changes.

Engine Editor > Advanced Settings > Scan Detection

Use this branch to change scan detection settings. You can use scan detection to count the number of connections or connection attempts within a time window and set a threshold after which an alert is generated.

Option Definition
Scan Detection Mode When you enable scan detection, the number of connections or connection attempts within a time window is counted.
  • Disabled — Scan detection is not enabled.
  • Off (Can Be Overridden in Policy) — Scan detection is not enabled, but you can override this setting in individual Access rules. This option is the default setting.
  • On (Can Be Overridden in Policy) — Scan detection is enabled. You can override this setting in individual Access rules if scan detection is not needed or to avoid false positives.
Create a log entry when the system detects section

Allows you to set thresholds for creating log entries. When the specified number of events for the specified time period is exceeded, log entries are created.

The following options are available for each protocol:

  • events in — Specifies the maximum number of events. The default value is 220.
  • Time period field — Specifies the time period. The default value is 1.
  • Time unit drop-down list — Specifies the unit of time. The default value is Minutes.
Log Level Specifies the log level for the log entries.
  • Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view, but is not stored.
  • Stored — Creates a log entry that is stored on the Log Server.
  • Essential — Creates a log entry that is shown in the Logs view and saved for further use.
  • Alert — Triggers the alert you select.
Alert When the Log Level is set to Alert, specifies the Alert that is sent.
Severity When the Log Level is set to Alert, allows you to override the severity defined in the Alert element.
Set to Default Returns Scan Detection changes to the default settings.