Port Scanning

Genian NAC 6.0 can detect port scanning run in a variety of ways. The Network Sensor monitors the network traffic flow to check the access event of ports. If a port scan is run to find a virtual IP address in order to exploit a known vulnerability, Genian NAC 6.0 suspends the Port Scan and designates the Node as a critical one. In addition, if the ports are scanned more than the specified value within a period of time, then designated as a critical Node.

Configure Settings for Port Scanning in Anomaly Definition

1. Go to Policy in the top panel.

2. Go to Policy > Node Policy > Anomaly Definition in the left Policy panel.

3. Click Port Scan.

4. Find Anomaly Event section to configure more options.

   • For Event Duration, optional setting to specify how long the port scan is run:

   • For Number of Allowable Ports, optional setting to specify the threshold to trigger the anomaly detection.

   • For Attribute to Match, optional setting to find a Node running the port scan.

5. Click Update.

Create Node Group For Port Scan Run

1. Go to Policy in the top panel.

2. Go to Policy > Group > Node in the left Policy panel.

3. Click on Tasks > Create

4. For ID: Port Scan Run.

5. For Status: Enabled.

6. For Boolean Operator select OR.

7. Find and click on Add in Condition section.

8. For each Anomaly you want to add use the followings:

   • Options: Anomaly

   • Operator: Detected is one of

   • Value: Port Scanning

9. Click Add.

10. Keep adding Conditions as needed.

11. Click Save.