How do I analyze alerts for SCAN: Host Sweep (8002)?
53137
Created On 11/20/20 17:57 PM - Last Modified 03/17/23 15:25 PM
Question
How do I analyze alerts for SCAN: Host Sweep (8002)?
Environment
- Palo Alto Firewall.
- PAN-OS 8.1 and above.
- Threat Log displays SCAN: Host Sweep
Answer
During a threat analysis, one of the first resources to investigate is the Threat Vault. By searching for SCAN: Host Sweep (8002), it will appear as a Vulnerability Protection Signature. However, it may not be found under GUI: Objects > Vulnerability Profiles. This alert is part of the Reconnaissance Protection offered by Zone Protection, and the signature is implemented at the Ingress Zone via a Zone Protection Profile.
A Host Sweep is a tactic employed by attackers to scan a specific port on multiple systems to determine if it is open and vulnerable. The information gathered from this activity is used as part of the reconnaissance phase of the Cyber Attack Lifecycle, and it enables the attacker to establish network connectivity on the targeted port.
A Host Sweep alert is generated when a host sends TCP SYN packets to multiple destinations with the same destination port within a defined time period. This is tracked by destination-ip+destination-port pairs. The default action for a Host Sweep alert is "Alert" when 100 events are detected in a 10-second period. However, this threshold can be modified in the Zone Protection Profile by adjusting the time interval, which ranges from 2 to 65,535 seconds (with a default of 10).
Destination IP addresses are not considered in determining Host Sweep events. As long as the threshold is breached for a single host, a Host Sweep alert will be triggered regardless of the number of IP addresses involved.
A Host Sweep may occur for various reasons, such as:
1. Part of a bot or worm looking for hosts to infect
2. A malicious actor searching for vulnerable systems for a specific vulnerability
3. A targeted attack by an Advanced Persistent Threat (APT) looking for vulnerabilities.
If Host Sweep is also enabled in an internal zone, it may resemble regular internet activity. Host Sweep monitoring tracks connections to different IP addresses on the same destination port, such as ports 80 or 443, which are highly likely to be false positives. If detection occurs on a port other than 80 or 443, or any other recognizable port, it may indicate a potential attempt to beacon out. In such a scenario, it is advisable to investigate the host or hosts generating this traffic for compromise.
If the traffic originates from Un-Trust to Trust, there is a possibility that someone is attempting to scan the network for vulnerable services. Available actions include "Allow," "Alert," "Block," and "Block IP"; it is best practice to set the action to "Block" or "Block IP." It is important to consider the appropriate action for your network as "Allow" or "Alert" will not block the traffic.
If Zone Protection is being used, ensure that it is enabled on the untrusted Zone to utilize the Host Sweep threat ID. If Zone Protection is not in use in any profiles, consider opening a Support Case for Strata to investigate further.
It is worth noting that Host Sweep detections will not be triggered if the Host Sweep traffic is denied by a Security Policy.
When investigating Host Sweeps, keep the following in mind:
- There is no CLI visibility into Host Sweep counters
- If you choose to stop the traffic, you can set an action of 'Block' or 'Block IP'. 'Block' will block the current traffic, while 'Block IP' will add the IP Address associated with the traffic to the Block IP List. To learn more, refer to Monitor > Block IP.