SRX

last person joined: 8 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Difference between tcp port-scan and tcp-sweep

    Posted 09-29-2012 03:57

    Hi All

     

    Anyone can explain the difference between these two?

     

    lab@srxB-2# set security screen ids-option scr tcp port-scan ?
    threshold Threshold (1000..1000000 time in us per 10 attack packets)

     

    lab@srxB-2# set security screen ids-option scr tcp tcp-sweep ?
    threshold Threshold which specifies the minimum time per TCP packets (time in microseconds per 10 TCP packets)

    I guess port scan is for the same source and destination, but different ports, and sweep should be for different destination ips? I've seen KB23261 but it is not explanatory. The doc is silent about tcp-sweep (as well as udp-sweep).

     

     

     



  • 2.  RE: Difference between tcp port-scan and tcp-sweep
    Best Answer

    Posted 10-02-2012 08:52

    Hi Peter,

     

    What you said is how I always seen it:

     

    "If a remote host sends TCP packets to 10 addresses in 0.005 seconds (5000 microseconds), then the device flags this as a TCP sweep attack."

     

    "If a remote host scans 10 ports in 0.005 seconds (equivalent to 5000 microseconds, the default threshold setting), the device flags this behavior as a port scan attack"

     

     

    http://www.juniper.ie/techpubs/en_US/junos11.2/information-products/topic-collections/security/software-all/cli-reference/index.html?topic-56723.html

     

    http://www.juniper.ie/techpubs/en_US/junos11.2/information-products/topic-collections/security/software-all/cli-reference/index.html?topic-56723.html