Port scan Detection XG18

Per the instructions in the other thread. I went into the Firewall logs (on Sophos Central, because the XGS87 has no on-appliance reporting) and made a report that notes Appliance Access denials. By changing the default report to not show IP addresses, I got aggregates, above. (I looked up the port numbers in Wikipedia to come up with the Service; the report doesn't include that.)

Thank you!

If you are a Sophos Endpoint XDR Customer, you can do this with Live Discovery as well: https://community.sophos.com/intercept-x-endpoint/i/network/port-scan-detection-using-sophos-firewall-data-in-the-data-lake

This will give you a good overview of all "scans" in your network or from WAN.

You can configure your own threshold (when should it be considered to be a scan?"). 

BTW: Looking at such Port Scan features, there are actually useless from my point of view. Look how shodan does it. They actually have a entire network of clients, scanning all the time. They will not be visible on any port scan tool, if not configured "highly aggressive", which leads to False positives.

And in the end, what are you gonna do about it? Its like looking at the street: If some car drives all the time around your house, looking at your house. What are you gonna do? Attacker do not scan from there devices, they use jump hosts, bot nets etc. 

Agreed. WAN port scanning will come from many IP addresses from a distributed attack so it won't appear to be port scanning, and any attack will come from yet another IP address. Internal port scans might be a different matter, since they wouldn't have as many hosts to work with. (And might just be one of your users who has admin access trying out netcat.)

I'm actually fairly proud of my list, above. I think it shows the priorities of the "scan everyone" crowd fairly clearly. Obviously, a particular group of hackers or someone targeting you as an individual may have very different priorities and would try to exploit things that these "script kiddies" don't know about. But it's still interesting to look from an innocuous host tied to a residential-oriented ISP and see what's out there.

Telnet being the favored target, then Steam games, then the main alternative HTTP port. (The latter could be someone setting up their own service or could be what various tools with web-based GUIs default to.) I was surprised to see such a focus on Docker, but that could be because it's very popular and new adopters may not secure it network-wise. Of course, Sophos has a much better list somewhere, but it's fun to make my own.

I also found a port scanning machine while I was looking: 92.63.196.228 (ripe.net?):

; <<>> DiG 9.10.6 <<>> @8.8.8.8 -x 92.63.196.228
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52746
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;228.196.63.92.in-addr.arpa.	IN	PTR

;; AUTHORITY SECTION:
92.in-addr.arpa.	1776	IN	SOA	pri.authdns.ripe.net. dns.ripe.net. 1634303933 3600 600 864000 3600

;; Query time: 41 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Oct 15 10:48:37 EDT 2021
;; MSG SIZE  rcvd: 115

Has had 20K hits on my XGS in the last week, only one port was hit twice, all the rest were hit just once.