HP X Unified Security Platform Filter Tuning

Chapter 3 IPS Filtering

The Port Scan/Host Sweep Filters (Filter numbers 7000- 7004) available in the Application Protection Category - Reconnaissance group are designed to protect the network against these types of attacks. These filters monitor the rate of connections generated by hosts on the network. The filter triggers when the connection rate during a specified interval goes above a given threshold.

The following figure shows the Port Scan/Host Sweep Filters added to the Security Profile for editing.

Figure 3–4: Security Profile: Port Scan/Host Sweep Filter Overrides

The Port Scan/Host Sweep Attack filters can only be used to monitor traffic on Security Zones that include physical ports. That is, you cannot run Port Scan/Host Sweep filters on VLANs or zones configured with a Virtual Server.

In the Category Settings, all Port Scan/Hosts Sweep filters are disabled. To apply these filters to the Security Profile, enable the filters, tune the threshold and timeout interval settings, and assign an action set based on your network requirements. Because the Recommended setting for Port Scan Host/Sweep filters is disabled, you have to assign a specific action to the filter to enable it.

You can tune the sensitivity of Port Scan/Host Sweep filters by adjusting their Timeout and Threshold parameters. The timeout value is used in combination with the threshold value to determine whether or not an alert is sent.

For example, if the time interval is 300 seconds (5 minutes) and the connection threshold is 100 hits, then the filter is triggered every time the rate of connections exceeds 100, or exceeds a multiple of the threshold (101, 201, 301...) within the 300 second (five minute) time period.

The filters support any of the configured action sets available on the device. You can also configure IP address exceptions.

Edit a Port Scan/Host Sweep Filter

36 X Family LSM User’s Guide V 2.5.1