Is there anyone here that might be able to explain how portscan detection in the UTM works? I found this document Understanding PortScan Detection but actually, I wonder if I completely understand the internal workings of this mechanism.
My problem is the following: I have a device which does Kerberos authentication against our domain controller. In between our UTM, which, from time to time, alerts "port scans". Turns out, this port scans seem to actually be Kerberos communication between device and DC (dstport 88). Going by the referenced document, a request going to 88/TCP raises the "detection scrore" for said device to 3 point (I'm not really sure what "Scan of a TCP destination port" exactly means, but I assume it just means a connection attempt). Now what does raise the score to alert-generating emergency level 21? Are all connections to the same port within 300ms counted? If so, this seems rather useless to me as that's not really what a port scan is about. If not, where do the missing 18 points come from?
As a side note, the algorithm explained in the article seems to me as to produce lots of false positives, while at the same time being unable to detect serious port scan attempts the are carried out with enough patience. An I missing something? And can anyone explain what's so special about ports 11, 12, 13 and 2000 to generate 10 detection score points?
This thread was automatically locked due to age.
