Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

What are Scan-Sweep Filters?

    • Updated:
    • 30 Aug 2017
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • TippingPoint NGFW All
    • TippingPoint SecBlade All
    • TippingPoint SMS All
    • TippingPoint TPS All
    • TippingPoint Virtual SMS
    • TippingPoint Virtual TPS All
    • Platform:
Summary

This article discusses what Scan-Sweep filters are and how are they utilized in your TippingPoint devices.

Details
Public

Port Scan and Host Sweep Filters

TippingPoint Operation System (TOS) support filters that are able to detect and/or block port scans and host sweeps. The following list depicts filters are referred to as scan/sweep filters:

  •  7000: TCP: Port Scan
  •  7001: UDP: Port Scan
  •  7002: TCP: Host Sweep
  •  7003: UDP: Host Sweep
  •  7004: ICMP: Host Sweep
  •  7016: ICMPv6: Host Sweep

The scan and sweep filters track the number of port scans and host sweeps attempts from a single source IP address. These filters have threshold values that can be configured per Security Profile and per filter. The filter becomes active when the number of connection attempts from a source IP address exceeds the threshold. Host scans and port sweeps are blocked through the Quarantine feature.

Scan and sweep filters only look at connections from traffic that undergoes IPS inspection. These filters ignore the following types of traffic:

  •  Blocked or trusted by a Traffic Management filter
  •  Trusted flow due to Trust as an Action
  •  Blocked or trusted by IP Reputation
  •  Matches an inspection-bypass rule

Warning: Prior to enabling the scan sweep filters in a block+notify action set, you should enable these filters in a permit+notify or trust+notify action set. This should be done as a precaution as a number of servers will actually trigger these filters (e.g. Proxy, DNS, and Mail). In this fashion a determination can be made as to what servers will require filter exceptions once these filters are enabled. Once you have added the exceptions, you can then enable the filters as block+notify.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000088164
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.