Endpoint Protection

  • 1.  Configure Notification and alert for Port Scan detection

    Posted 10-20-2021 09:08 AM
    Edited by SymSpec 10-20-2021 09:08 AM
    Is there any way we can configure an alert to be sent automatically to admin whenever SEP detects any port scan attacks. I checked under Notification Conditions in SEPM but I couldn't find the port scan event type for notification condition.

    Can anyone confirm?

    SEPM and SEP agent version is 14.3 RU2.

  • 2.  RE: Configure Notification and alert for Port Scan detection

    Posted 10-22-2021 06:19 PM
    Hi SymSpec,

    You sure can get an alert for Port Scan.  I've had this set up for years and it works well.  I'm on a slightly earlier version (14.3 RU1 MP1), but should be the same for you.

    First you need to turn on "Enable port scan detection" for the relevant group.  This is under Firewall Policy -> Windows Settings -> Protection and Stealth.  There is also an equivalent setting for Mac's under the Mac Settings.

    To get the email alert, you need to set up a Notification Condition.  When I first set this up, I was like you looking for a particular notification for port scan detection - there isn't one.  Add a new Notification Condition and select "Client security alert" from the drop-down.  In the next screen, deselect "Compliance events" (which is the default), and select "Network and Host Exploitation events".  I change a couple of other setting, including setting in from 3 occurrences in 1 minute, to 1 in 1 minute.  Configure your logging and email alert settings and you're done.  I set the name and the "Notification subject" as "Network Threat Alert", as this one notification will alert you for all IPS/IDS events, including port scans.

    It works well, and is usually how I detect penetration testers being onsite, as it picks up their port scans as they start checking the environment :)  I've also seen a port scan detection triggered in some cases when running traceroute, as this opens a few ports quickly.  In that case I had to create a firewall rule to allow this traffic (it was for some monitoring software) because if you also have the "Automatically block an attacker's IP address" setting turned on, then the port scan will trigger that and block the traffic.

    Hope this helps,

  • 3.  RE: Configure Notification and alert for Port Scan detection

    Broadcom Employee
    Posted 10-22-2021 06:23 PM
    I looked in the SEPM Notifications options and I confirm that there is no trigger for firewall or IPS related events. An alternative albeit heavy to implement would be to export logs to syslogs and use an external solution to send alert.