TCP port scans
Because TCP is a stateful protocol, many different events might be classified as normal, possibly suspicious, or very suspicious. The identified conditions are listed in Table 1. You can use the RESERVED keyword on the PORT or PORTRANGE statement in the TCP/IP profile to prohibit the use of a TCP port. You can also limit event generation to specific port ranges and destination IP addresses. TCP port scans apply to IPv4 and IPv6. Events are classified by the first matching entry in Table 1:
Socket state | Event | Event classification |
---|---|---|
Any state | Receive unexpected flags (for example, SYN+FIN) | Very suspicious |
Any state | Receive standalone SYN that is denied by IP security filtering | Possibly suspicious |
Use prohibited by RESERVED keyword | Receive standalone SYN | Very suspicious |
Unbound, use not prohibited | Receive standalone SYN | Possibly suspicious; application could be temporarily down |
Listen | Receive standalone SYN that is denied by Quality of Service (QoS) policy | Normal |
Listen | Receive standalone SYN | No event (classification deferred) |
Half open connection | Receive ACK | Normal; connection handshake completed |
Half open connection | Receive duplicate SYN | Normal; perhaps duplicate packet |
Half open connection | Receive RST | Possibly suspicious; peer covering tracks |
Half open connection | Final time out | Very suspicious; peer abandoned handshake |
Any connected state | Seq# out of window | Normal; perhaps duplicate packet |
Any connected state | Receive standalone SYN | Normal; perhaps peer reboot |
Any connected state | Final timeout | Possibly suspicious; peer abandoned connection |