Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

ADS SCANS method details

 

Information

 

Summary:

Detailed description of ADS SCANS method parameters.

Environment:

Product: Flowmon ADS

Version: Any

Platform: Any

Question/Problem Description:

Method parameters are not clear.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:  
Resolution:

The SCANS method has the following submethods:

  • TCPSYN: Reports scanning of the services using the TCP protocol. Only the flows with the set SYN flag are used for detection.
  • TCPFIN: Reports scanning of the services using the TCP protocol. Only the flows with the set FIN flag are used for detection.
  • TCPNull: Reports scanning of the services using the TCP protocol. Flows without any flags set are used for detection.
  • TCPXmas: Reports scanning of the services using the TCP protocol. Flows with the PSH, URG, and FIN flags are used for detection.
  • UDP: Reports scanning of the services using the UDP protocol. The UDP and ICMP flows are used for detection.
  • ARP: Reports scanning of the live devices in the network using the ARP protocol.
  • PortBased: Reports TCP port scanning by accessing all the user-defined ports in a short time period.

DetectOnlyKnown (this parameter is used for TCP SYN, FIN, Null, and Xmas scans)

  •  "do not limit" - all ports are considered for detection,
  •  "known and specified" - ports lower than 1024 (called known ports) + ports defined by DetectThesePorts parameter are considered for detection,
  •  "only specified" - only ports specified by the DetectThesePorts parameter are considered for detection.

DetectThesePorts (this parameter is used for TCP SYN, FIN, Null, and Xmas scans; and also for PortBased detection scans)

This parameter is used for PortBased detection scans and also for other TCP scans if DetectOnlyKnown is set to "known and specified" or "only specified".

 

PortBasedDetection

If active, the TCP SYN, FIN, Null, and Xmas scans are disabled, and TCP scans are detected without considering TCP flags. It is useful only in cases with low-quality flow data without TCP flags or unreliable TCP flags.

DetectThesePorts has to be filled in for successful PortBased detection.

The port list refers to the DetectThesePorts parameter.

Workaround:  
Notes:  

Was this article helpful?
0 out of 0 found this helpful

Comments