Port scan Detection XG18

Are you talking about the WAN port of the appliance? There is no direct port scan detection, but this recent posting might be helpful. Basically you can look at the Firewall log (on-device, in Sophos Central, or output to your own log server) for Appliance Access refusals.

It might also be possible to request these log entries via the API, but I've not used the API before.

If you're talking about port scanning on your internal network, I don't have a solution. I do have a guest network and a work-from-home network and I've set both to isolate each device from the other, and I know that broadcasts on those networks show up as Appliance Access rejection messages in the Firewall log, similar to WAN accesses.

I took a look and although a good tool, it's not what I'm looking for. Thank you very much for spending your time to look for a solution though.

You're welcome. I don't think you'll find such a tool that actually works because "port scanning" is ill-defined. That is, a port scanning tool need not hit lots of ports, nor hit them rapidly -- the typical "port scan". In fact, you could do a distributed port scan, testing one port a day from each machine and only testing a limited subset of ports with known vulnerabilities. Not sure that an automated tool would detect that.

According to this article, they have it on the UTM. Sophos UTM: What is portscan detection?

Why would they discontinue it or not integrate into the XG18??

According to this article, they have it on the UTM. Sophos UTM: What is portscan detection?

Why would they discontinue it or not integrate into the XG18??

Right, but would it actually do what you want it to do? Like I said, there's brute force port scanning -- hit all the ports in rapid succession from a single machine -- and then there are much more subtle methods. Does their tool detect all of them? I honestly don't know, but I'm skeptical. The logs can tell you what IPs hit whatever WAN ports you want to look at.

For example, I recently compiled this list of WAN ports that had been hit in the last month on my XGS:

Protocol  Dest Port Service       Hits
TCP       23        Telnet        7127
TCP       65002     Game          3264
TCP       8080      HTTP          3260
ICMP      -         -             3235
TCP       22        SSH           3231
TCP       65004     Game          2843
GRE (47))  -        -             2701
UDP       5060      SIP           1769
UDP       67        BOOTP         1727
TCP       2375      Docker REST   1683
TCP       2376      Docker REST   1561
TCP       3389      RDP           1267
TCP       81        Tor           1239
TCP       5555      ?             1186
UDP       123       NTP           1076
TCP       445       SMB and AD    1042
UDP       53        DNS            844
TCP       10443     ?              770
UDP       389       LDAP           724
UDP       16393     RTP            700
TCP       4200      ?              628
TCP       3128      Squid          620
TCP       8545      ?              577
TCP       8081      ?              497
TCP       1433      MSSQL          489
TCP       6379      Redis          469
UDP       137       NetBIOS        451
UDP       1900      uPnP           450
TCP       5038      ?              438
TCP       9000      Lots-o-stuff   416
TCP       5900      VNC            415
TCP       9200      ElasticSearch  401
TCP       8888      Jupyter etc    395
UDP       161       SNMP           387
TCP       60001     Mosh (SSH)     371
TCP       11211     memcached      358
TCP       2323      ?              350
TCP       4243      Docker         329
TCP       4244      Viber          323
TCP       2377      Docker Swarm   322
TCP       21        FTP            311

Note their rule, which would detect a naive user using a port scan tool with default settings, but not more sophisticated scans. I'd guess they didn't include it because it's simplistic and could give a false sense of security.

A portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded. The calculation of the detection score is as follows:
 

• Scan of a TCP destination port less than 1024: 3 points
• Scan of a TCP destination port greater or equal 1024: 1 point
• Scan of ports 11, 12, 13, 2000: 10 points

How did you compile this list?

Yeah 21 points in a time range of 300 ms is a rapid scan that pro wouldn't do lol

Per the instructions in the other thread. I went into the Firewall logs (on Sophos Central, because the XGS87 has no on-appliance reporting) and made a report that notes Appliance Access denials. By changing the default report to not show IP addresses, I got aggregates, above. (I looked up the port numbers in Wikipedia to come up with the Service; the report doesn't include that.)

Thank you!

If you are a Sophos Endpoint XDR Customer, you can do this with Live Discovery as well: https://community.sophos.com/intercept-x-endpoint/i/network/port-scan-detection-using-sophos-firewall-data-in-the-data-lake

This will give you a good overview of all "scans" in your network or from WAN.

You can configure your own threshold (when should it be considered to be a scan?"). 

BTW: Looking at such Port Scan features, there are actually useless from my point of view. Look how shodan does it. They actually have a entire network of clients, scanning all the time. They will not be visible on any port scan tool, if not configured "highly aggressive", which leads to False positives.

And in the end, what are you gonna do about it? Its like looking at the street: If some car drives all the time around your house, looking at your house. What are you gonna do? Attacker do not scan from there devices, they use jump hosts, bot nets etc. 

Agreed. WAN port scanning will come from many IP addresses from a distributed attack so it won't appear to be port scanning, and any attack will come from yet another IP address. Internal port scans might be a different matter, since they wouldn't have as many hosts to work with. (And might just be one of your users who has admin access trying out netcat.)

I'm actually fairly proud of my list, above. I think it shows the priorities of the "scan everyone" crowd fairly clearly. Obviously, a particular group of hackers or someone targeting you as an individual may have very different priorities and would try to exploit things that these "script kiddies" don't know about. But it's still interesting to look from an innocuous host tied to a residential-oriented ISP and see what's out there.

Telnet being the favored target, then Steam games, then the main alternative HTTP port. (The latter could be someone setting up their own service or could be what various tools with web-based GUIs default to.) I was surprised to see such a focus on Docker, but that could be because it's very popular and new adopters may not secure it network-wise. Of course, Sophos has a much better list somewhere, but it's fun to make my own.

I also found a port scanning machine while I was looking: 92.63.196.228 (ripe.net?):

; <<>> DiG 9.10.6 <<>> @8.8.8.8 -x 92.63.196.228
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52746
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;228.196.63.92.in-addr.arpa.	IN	PTR

;; AUTHORITY SECTION:
92.in-addr.arpa.	1776	IN	SOA	pri.authdns.ripe.net. dns.ripe.net. 1634303933 3600 600 864000 3600

;; Query time: 41 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Oct 15 10:48:37 EDT 2021
;; MSG SIZE  rcvd: 115

Has had 20K hits on my XGS in the last week, only one port was hit twice, all the rest were hit just once.