Endpoint Protection

 View Only
  • 1.  SEPv11 - IPS Port Scan Detection Question

    Posted Mar 10, 2010 11:41 AM

    I've got two different test laptops with different IPS policies applied. Both have port scan detection enabled but only one IPS policy has block an attackers IP address enabled.

    Question - When the IPS detects the port scan, it currently logs it but I dont see any blocking except for the one system that has "block an attackers IP address" enabled. Is this correct?

    If so why can't I set the port scan detection to block without having to use the active response? Active response cant work in our environment because it blocks our internet proxy.

    I also noticed the description of the port scan detection is different in the policy compared to the help files

    SEPIPS.jpg

     

    Enable port scan detection

    Detects if another computer scans the client computer's ports.

    Hackers use port scans to determine which of the client computer's ports are open to communication. The client dynamically blocks the ports and therefore protects the computer from hacking attempts.

    If the client detects a port scan, it displays a notification.

    If you disable this option, the client does not detect any scans or notify the user, but still protects the ports from hacking attempts.

    This option is enabled by default.



  • 2.  RE: SEPv11 - IPS Port Scan Detection Question
    Best Answer

    Posted Mar 11, 2010 05:26 AM
     Hi,

    Security Rules are used to "Block Packets". 

    The option "Enable port scan detection" is a method to identify a pattern in blocked packets and compare it to the port scan pattern.

    As specified in the description provided in the policy: "A security rule needs to be created to block traffic".

    The description in the help file is talking about what is a port scan. Where as the one in the policy is talking about how Symantec detects a pattern in it.

    Aniket




  • 3.  RE: SEPv11 - IPS Port Scan Detection Question

    Broadcom Employee
    Posted Mar 11, 2010 05:29 AM
    it will detect the scan, but to stop it you need ot create a firewall rule.


  • 4.  RE: SEPv11 - IPS Port Scan Detection Question

    Posted Mar 11, 2010 10:49 AM
     Since you are using it via proxy..you can try putting active response at 5 seconds as it should be enough to drop the attack packets and reset the connection.

    However ion my view in without block ...active response it should drop the connection..


  • 5.  RE: SEPv11 - IPS Port Scan Detection Question

    Posted Apr 07, 2010 10:42 AM
    I assume the Active Response send RST instead of only dropping packets. Is that correct? If not I'm sure 5 seconds is enough since most TTL last longer


  • 6.  RE: SEPv11 - IPS Port Scan Detection Question

    Posted May 20, 2010 04:56 PM
    I understand that port scans are logged and not blocked but will a custom signature be needed or can one be made in the firewall rules to block/alert port scans? I am looking to get alerted when a scan is performed.