Port Scanning

Genian NAC can detect port scanning run in a variety of ways. The Network Sensor monitors the network traffic flow to check the access event of ports. If a port scan is run to find a virtual IP address in order to exploit a known vulnerability, Genian NAC suspends the Port Scan and designates the Node as a critical one. In addition, if the ports are scanned more than the specified value within a period of time, then designated as a critical Node.

Configure Settings for Port Scanning in Anomaly Definition

  1. Go to Policy in the top panel.
  2. Go to Policy > Node Policy > Anomaly Definition in the left Policy panel.
  3. Click Port Scan.
  4. Find Anomaly Event section to configure more options.
    • For Event Duration, optional setting to specify how long the port scan is run:
    • For Number of Allowable Ports, optional setting to specify the threshold to trigger the anomaly detection.
    • For Attribute to Match, optional setting to find a Node running the port scan.
  5. Click Update.

Create Node Group For Port Scan Run

  1. Go to Policy in the top panel.
  2. Go to Policy > Group > Node in the left Policy panel.
  3. Click on Tasks > Create
  4. For ID: Port Scan Run.
  5. For Status: Enabled.
  6. For Boolean Operator select OR.
  7. Find and click on Add in Condition section.
  8. For each Anomaly you want to add use the followings:
    • Options: Anomaly
    • Operator: Detected is one of
    • Value: Port Scanning
  9. Click Add.
  10. Keep adding Conditions as needed.
  11. Click Save.