This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Help with Threat log SCAN: Host Sweep
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- Cloud Delivered Security Services
- Threat & Vulnerability
- Re: Help with Threat log SCAN: Host Sweep
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Help with Threat log SCAN: Host Sweep
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-16-2020 08:47 AM
I am looking for assistance interpreting a report that shows “SCAN Host sweep traffic” in my threat log. There are multiple internal sources scanning multiple destination IP addresses that I do not own. The daily number of scans detected from each source is between 2 and 10. The source machine rarely scans the same destination. Is this a low level attack trying to stay under the radar or is there an explanation that does not indicate a problem on my network? I appreciate any feedback.
Type: Scan
Name: SCAN: Host Sweep
From Zone: Inside
To Zone: Outside
Source address: Internal IP address owned by me
Destination Address: various external addresses not owned by me.
Port; 99% of the time 443. Occasionally port 80 or 22222
This screen shot show traffic during one time frame. I see various Source and Destination addresses.
This screen shot is filtered by destination address. This destination address is scanned various times from different Source addresses over the course of several days.
13 REPLIES 13
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-24-2020 01:23 PM
I see 100 views but no comments. Is there additional information I can add to help refine my question?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-24-2020 02:09 PM
Hello,
Could be something attempting to beacon out. I would check the hosts for compromise and keep making sure the PAN blocks the traffic for now.
Also check the destination IP's, if they are something that your systems are supposed to be reaching out to.
Regards,
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-29-2020 06:57 AM
Thank you for replying. I am concerned because those addresses are not relevant to our daily business, but each machine is performing only a few sweeps a day. I am concerned at this traffic, but wondering if I am just being paranoid?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-29-2020 07:12 AM
Hello,
A little paranoia is OK especially if you dont have a baseline. I would investigate the hosts and see what is actually causing the traffic.
Regards,
Related Content
- Trying to identify a threat by host contact attempts in Threat & Vulnerability Discussions
- Host Sweep in Threat & Vulnerability Discussions
- Wininfo.exe alerts - Received alert from Traps regarding malware detection of maximum system in Threat & Vulnerability Discussions
- Host sweep alert from an iPad in Threat & Vulnerability Discussions
- Apache Tomcat WebSocket Denial-of-Service Vulnerability' generated by NGFW in Threat & Vulnerability Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks