Host sweep alert from an iPad

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Host sweep alert from an iPad

L3 Networker

We have an iPad that is triggering our scan block policy as a host sweep. The iPad is attempting to connect to one external (Internet) IP over port 443. It's happened for the past few days to a different external IP each time.

 

Threat vault info.

Name: SCAN: Host Sweep

Unique Threat ID: 8002

 

Has anyone else seen this behavior?

What are the thresholds for this threat?

 

 

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

This could just be the way the iPad is communication outbound. Collect a pcap and see if you can find anything within it. 

 

Regards,

It looks like it's more than just an iPad. It's both iOS and Android devices. They are triggering the host sweep alert when communicating with Internet addresses which appear legitimate, so this is either OS or app traffic. I do know that if it's not successful (blocked by the firewall) the device may not function correctly as it can't confirm an Internet connection.

Host sweep will detect whenever a source attempts to hit different IP addresses on the same destination port, which if you think of it is by definition internet activity (multiple IP's hit on port 443 and 80). This means that if you enable this protection on an internal Zone with internet access, it is highly likely to trigger FP's continuously for public IP's on the internet on regular internet ports (most frequently 443 and 80).

  • 2932 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!