Rule: -- Sid: 1638 -- Summary: This event is generated when a scan is detected. -- Impact: Information gathering. -- Detailed Information: This event indicates that an attempt has been made to scan a host. This may be the prelude to an attack. Scanners are used to ascertain which ports a host may be listening on, whether or not the ports are filtered by a firewall and if the host is vulnerable to a particular exploit. -- Affected Systems: Any host. -- Attack Scenarios: An attacker can determine if a vulnerable version of ssh is being used on a host, then proceed to exploit that vulnerablity. -- Ease of Attack: Simple. -- False Positives: A scanner may be used in a security audit. -- False Negatives: None Known. -- Corrective Action: Determine whether or not the scan was legitimate then look for other events concerning the attacking IP address. Check the host for signs of compromise. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: --