04-15-2021 08:02 AM
We have an iPad that is triggering our scan block policy as a host sweep. The iPad is attempting to connect to one external (Internet) IP over port 443. It's happened for the past few days to a different external IP each time.
Threat vault info.
Name: SCAN: Host Sweep
Unique Threat ID: 8002
Has anyone else seen this behavior?
What are the thresholds for this threat?
04-19-2021 02:33 PM
Hello,
This could just be the way the iPad is communication outbound. Collect a pcap and see if you can find anything within it.
Regards,
04-20-2021 07:37 AM
It looks like it's more than just an iPad. It's both iOS and Android devices. They are triggering the host sweep alert when communicating with Internet addresses which appear legitimate, so this is either OS or app traffic. I do know that if it's not successful (blocked by the firewall) the device may not function correctly as it can't confirm an Internet connection.
04-20-2021 08:08 AM
Host sweep will detect whenever a source attempts to hit different IP addresses on the same destination port, which if you think of it is by definition internet activity (multiple IP's hit on port 443 and 80). This means that if you enable this protection on an internal Zone with internet access, it is highly likely to trigger FP's continuously for public IP's on the internet on regular internet ports (most frequently 443 and 80).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
