I am looking for assistance interpreting a report that shows “SCAN Host sweep traffic” in my threat log. There are multiple internal sources scanning multiple destination IP addresses that I do not own. The daily number of scans detected from each source is between 2 and 10. The source machine rarely scans the same destination. Is this a low level attack trying to stay under the radar or is there an explanation that does not indicate a problem on my network? I appreciate any feedback. Type: Scan Name: SCAN: Host Sweep From Zone: Inside To Zone: Outside Source address: Internal IP address owned by me Destination Address: various external addresses not owned by me. Port; 99% of the time 443. Occasionally port 80 or 22222 This screen shot show traffic during one time frame. I see various Source and Destination addresses. This screen shot is filtered by destination address. This destination address is scanned various times from different Source addresses over the course of several days.
... View more