Snort-alerts/portscan-Open-Port

From aldeid
Jump to navigation Jump to search

portscan: Open Port

Identification

Id 122-27
Alert portscan: Open Port
Classification unclassified

Trigger

This event is generated when the sfPortscan pre-processor detects network traffic that may consititute an attack.

A portscan is often the first stage in a targeted attack against a system. An attacker can use different portscanning techniques and tools to determine the target host operating system and application versions running on the host to determine the possible attack vectors against that host.

More information on this event can be found in the individual pre-processor documentation README.sfportscan in the docs directory of the snort source. Descriptions of different types of portscanning techniques can also be found in the same documentation, along with instructions and examples on how to tune and use the pre-processor.

Affected systems

All

Impact

Unknown. This is normally an indicator of possible network reconnaisance and may be the prelude to a targeted attack against the targeted systems.

False positives

While not necessarily a false positive, a security audit or penetration test will often employ the use of a portscan in the same way an attacker might use the technique. If this is the case, the pre-processor should be tuned to ignore the audit if so desired.

Scenario

An attacker often uses a portscanning technique to determine operating system type and version and also application versions to determine possible effective attack vectors that can be used against the target host.

Example

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Corrective actions

  • Check for other events targeting the host.
  • Check the target host for signs of compromise.
  • Apply any appropriate vendor supplied patches as appropriate.