Scan events

A scan is an attack that attempts to connect to unused ports looking for a way to break into the system. A scan also can be a connection request from a spoofed IP address. After the open ports are discovered, the hacker tries to discover the weaknesses and gain access to the system.

IDS detects both inbound and outbound scan events.

A port scan is used by administrators to check the security of a network, and by hackers or crackers to find open ports and vulnerabilities in the system.

A scan policy can monitor both slow and fast scans. Fast scans might indicate quick attempts at gathering information or attempts to deny service. Slow scans might indicate that a perpetrator is seeking information about which ports to probe or what operating system is running.

If IDS is active before the system IPL, the service stack detects intrusions and extrusions, even if no IDS policies exist. If an IDS scan policy exists, IDS creates an audit record when it detects a scan event, if the slow or fast scan thresholds are exceeded.

Sometimes a high rate of scans indicates that a user is trying to connect to a service that is down, rather than a genuine attack on the system. For example, if the Telnet or TCP/IP server is down, that might look like a scan and IDS would detect it.