Port Scanning
Genian NAC can detect port scanning run in a variety of ways. The Network Sensor monitors the network traffic flow to check the access event of ports. If a port scan is run to find a virtual IP address in order to exploit a known vulnerability, Genian NAC suspends the Port Scan and designates the Node as a critical one. In addition, if the ports are scanned more than the specified value within a period of time, then designated as a critical Node.
Configure Settings for Port Scanning in Anomaly Definition
- Go to Policy in the top panel.
- Go to Policy > Node Policy > Anomaly Definition in the left Policy panel.
- Click Port Scan.
- Find Anomaly Event section to configure more options.
- For Event Duration, optional setting to specify how long the port scan is run:
- For Number of Allowable Ports, optional setting to specify the threshold to trigger the anomaly detection.
- For Attribute to Match, optional setting to find a Node running the port scan.
- Click Update.
Create Node Group For Port Scan Run
- Go to Policy in the top panel.
- Go to Policy > Group > Node in the left Policy panel.
- Click on Tasks > Create
- For ID: Port Scan Run.
- For Status: Enabled.
- For Boolean Operator select OR.
- Find and click on Add in Condition section.
- For each Anomaly you want to add use the followings:
- Options: Anomaly
- Operator: Detected is one of
- Value: Port Scanning
- Click Add.
- Keep adding Conditions as needed.
- Click Save.