I am getting this alert Masscan Port Scanning Tool Detection' what can I do that will stop the scanning, I would think I would need to do more that alert and when I check the threat database it didn't really offer much
The default action for this is simply to alert. As is, I generally set it so anything coming from external resources with a severity great-or-equal to medium gets reset, regardless of default action. You might want to look at making the same modification to the threat profile utilized on your external security entries.
One of the thing you might want to look at is the firewalls built-in block-ip option that can limit the source-ip from connecting for a set duration. You can also setup MineMeld to pull indicators from the threat logs (either through log-forwarding to a SIEM or directly through the API) so you can feed these into a block-list so to speak by utilizing the EDL functionality.
Hows it going? As always you have many good suggestions. I decided to change the action to drop. I currently don't have mine meld and doesn't that cost? I currently do not have a SIEM setup yet I may need to look into that
The product is included with AutoFocus which does have a cost associated with it that has caused a fair amount of confusion; MineMeld itself however is open-source and can be installed by itself without any cost associated.
You can get the indicators added automatically to MineMeld using some scripts to pull a custom report through the API, and feeding the indicators into a file that gets fed into MineMeld as an indicator list. I might write a post about that one of these days.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!