topic Re: Host sweep alert from an iPad in Advanced Threat Prevention Discussions

Host sweep alert from an iPad

MikeSangray2019 — Thu, 15 Apr 2021 15:02:11 GMT

We have an iPad that is triggering our scan block policy as a host sweep. The iPad is attempting to connect to one external (Internet) IP over port 443. It's happened for the past few days to a different external IP each time.

Threat vault info.

Name: SCAN: Host Sweep

Unique Threat ID: 8002

Has anyone else seen this behavior?

What are the thresholds for this threat?

Re: Host sweep alert from an iPad

OtakarKlier — Mon, 19 Apr 2021 21:33:20 GMT

Hello,

This could just be the way the iPad is communication outbound. Collect a pcap and see if you can find anything within it.

Regards,

Re: Host sweep alert from an iPad

MikeSangray2019 — Tue, 20 Apr 2021 14:37:37 GMT

It looks like it's more than just an iPad. It's both iOS and Android devices. They are triggering the host sweep alert when communicating with Internet addresses which appear legitimate, so this is either OS or app traffic. I do know that if it's not successful (blocked by the firewall) the device may not function correctly as it can't confirm an Internet connection.

Re: Host sweep alert from an iPad

mivaldi — Tue, 20 Apr 2021 15:08:12 GMT

Host sweep will detect whenever a source attempts to hit different IP addresses on the same destination port, which if you think of it is by definition internet activity (multiple IP's hit on port 443 and 80). This means that if you enable this protection on an internal Zone with internet access, it is highly likely to trigger FP's continuously for public IP's on the internet on regular internet ports (most frequently 443 and 80).