Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How do I block NMAP port scans?

    • Updated:
    • 28 Aug 2017
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • TippingPoint SMS All
    • TippingPoint TPS All
    • TippingPoint Virtual SMS
    • TippingPoint Virtual TPS All
    • Platform:
Summary
This article describes the procedure required to block NMAP port scans.
Details
Public

Network Mapper (NMAP) is a network security scanner originally used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, NMAP sends specially crafted packets to the target host and then analyzes the responses. The software provides a number of features for probing computer networks, including host discovery and service and operating system detection.

In order to block port scans, you need to enable filters 7000 to 7004 and 7016. Please ensure that you read the filter descriptions as some of them have warnings attached.

Port Scan and Host Sweep Filter Description

The following filters detect and/or block port scans and host sweeps.

  •  7000: TCP: Port Scan
  •  7001: UDP: Port Scan
  •  7002: TCP: Host Sweep
  •  7003: UDP: Host Sweep
  •  7004: ICMP: Host Sweep
  •  7016: ICMPv6: Host Sweep

The scan and sweep filters track the number of port scan and host sweep attempts from a single source IP address. These filters have threshold values that can be configured per Security Profile and per filter. The filter becomes active when the number of connection attempts from a source IP address exceeds the threshold. Host scans and port sweeps are blocked through the Quarantine feature. Scan and sweep filters only look at connections from traffic that undergoes IPS inspection.

These filters ignore the following types of traffic:

  •  blocked or trusted by a Traffic Management filter
  •  trusted flow due to Trust as an Action
  •  blocked or trusted by IP Reputation
  •  matches an inspection-bypass rule
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000087920
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.