14576
Created On06/14/21 18:11 PM - Last Modified02/07/22 23:54 PM
This will trigger a Host Sweep detection, because you'd be scanning multiple different hosts on the same destination port (80 and 443). sudo nmap -Pn -sS -v 192.168.0.0/24 sudo nmap -Pn -sS -v -p- 192.168.0.0/24 sudo nmap -Pn -sS -v -r -p- 192.168.0.0/24 sudo nmap -Pn -sS -v -r -n -p- 192.168.0.0/24 sudo nmap -Pn -sS -v -r -n --send-ip -p- 192.168.0.0/24 This decreases the likelihood of counting enough distinct ports per destination IP within the configured interval, so it will be easier to see hits of TCP Port Scan if you either remove randomization from the nmap scan, or adjust the interval and threshold values to make the detection more sensitive. The first suggested step is to remove randomization so that you can verify that the alerts do trigger in the firewall. You can then begin working on adjusting the TCP Port Scan sensitivity to be able to provide TCP Port Scan detection while avoiding False Positives. If you also have Host Sweep enabled in an internal zone, by definition, a Host Sweep is very similar to regular internet activity. Host Sweep keeps track of connection going to different IP's on the same destination port (i.e. destination port 80 or 443 are highly likely to be FP's). In a nutshell Host Sweep and TCP Port Scans are opposites:: Note:This article is written for informational purposes only. Palo Alto Networks does not support any third-party operating systems.Question
While running a port scan using nmap, we observe Host Sweep triggering instead of TCP Port Scan. Why is that?
The port scan command we use for the port scan is:nmap -sS -v 192.168.0.0/24 Environment
Answer
The command "nmap -sS -v 192.168.0.0/24" runs nmap with probing enabled, which will send a SYN packet to ports 80 and 443 first, and nmap will report "Host is up" if it receives a RST or a SYN-ACK in response.
It will then only proceed with scanning well-known ports against the devices it determined to be up.
The same behavior will be observed if you run nmap without root privileges, and that will happen even if you chose to disable host discovery.Additional Information
The TCP Port Scan option tracks scanning of distinct ports against the same destination IP address. It keeps a counter of ports hit per destination IP within a sliding time window (interval), and triggers the alert if enough hits cross the configured threshold. nmap randomization will send scans of random ports to random desintation IP's in the subnet.
The Subnet192.168.0.0/24 is used as an example in this article. Please use the appropriate subnet in CIDR notation in your nmap commands.