Honeypot - Port Scanning

Forum|Forum|12 years ago
April 15, 2014
3 replies
15035 views

What do I need to trigger a ' port scan' alert? I put a laptop on one interface on my firewall and allowed all traffic in/out with all the security profiles enabled. I have been pounding the network with nessus scans. I can see everything in the traffic logs. But nothing is registering in the IDS logs. I have also enabled the DoS policy but don' t even know where that is logged? Any help would be appreciated.

ShrewLWD

New Member

Hi Peanican, Without a model number and firmware, its hard to say, but start here, and scroll down specifically to Andrea' s fully fleshed out post at the bottom, to make sure your logging and alerting is set correctly. You will need to have either disk or memory logging enabled, and the logging disk/partition formatted, if you have a device that has a disk/paritition (flash/ssd, etc.) https://forum.fortinet.com/FindPost/106095

Dipen

New Member

Additionally please check the IPS Profile as what action has been set in IPS Signatures?

neonbit

New Member

If you enabled a DOS policy with logging then the logs should populate under Security > Intrusion Prevention. To confirm that it' s actually triggering you can use the following command to see if the DOS policy has been tripped: # diagnose ips anomaly list Below is an example from my lab device (.54) which was doing an nmap scan. The DOS policy I had configured here was to block tcp-port-scans that were >10 list nids meter: id=tcp_port_scan ip=192.168.101.54 dos_id=1 exp=984 pps=2 freq=6 total # of nids meters: 1.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded