What is the difference between TCP Port Scan and Host Sweep and how can they be tested using nmap (2024)

14576

Created On06/14/21 18:11 PM - Last Modified02/07/22 23:54 PM

Question

While running a port scan using nmap, we observe Host Sweep triggering instead of TCP Port Scan. Why is that?
The port scan command we use for the port scan is:nmap -sS -v 192.168.0.0/24

Environment

Linux / Unix / Mac OS or Windows Platform
nmap Installed

Answer

The command "nmap -sS -v 192.168.0.0/24" runs nmap with probing enabled, which will send a SYN packet to ports 80 and 443 first, and nmap will report "Host is up" if it receives a RST or a SYN-ACK in response.

This will trigger a Host Sweep detection, because you'd be scanning multiple different hosts on the same destination port (80 and 443).
It will then only proceed with scanning well-known ports against the devices it determined to be up.
The same behavior will be observed if you run nmap without root privileges, and that will happen even if you chose to disable host discovery.

To make sure it runs properly you'd want to run command:

sudo nmap -Pn -sS -v 192.168.0.0/24

If you want to instead scan all ports, not just well-known ports, then the command should be:

sudo nmap -Pn -sS -v -p- 192.168.0.0/24

If you don't want to randomize the port order in which it scans then the command should be:

sudo nmap -Pn -sS -v -r -p- 192.168.0.0/24

If you also want to prevent reverse DNS resolution then:

sudo nmap -Pn -sS -v -r -n -p- 192.168.0.0/24

If you are running the scan in the same subnet where your scanner is located, also use --send-ip to prevent nmap from leveraging ARP for the scan, then the command should be:

sudo nmap -Pn -sS -v -r -n --send-ip -p- 192.168.0.0/24

Additional Information

The TCP Port Scan option tracks scanning of distinct ports against the same destination IP address. It keeps a counter of ports hit per destination IP within a sliding time window (interval), and triggers the alert if enough hits cross the configured threshold. nmap randomization will send scans of random ports to random desintation IP's in the subnet.

This decreases the likelihood of counting enough distinct ports per destination IP within the configured interval, so it will be easier to see hits of TCP Port Scan if you either remove randomization from the nmap scan, or adjust the interval and threshold values to make the detection more sensitive.

The first suggested step is to remove randomization so that you can verify that the alerts do trigger in the firewall. You can then begin working on adjusting the TCP Port Scan sensitivity to be able to provide TCP Port Scan detection while avoiding False Positives.

If you also have Host Sweep enabled in an internal zone, by definition, a Host Sweep is very similar to regular internet activity. Host Sweep keeps track of connection going to different IP's on the same destination port (i.e. destination port 80 or 443 are highly likely to be FP's).

In a nutshell Host Sweep and TCP Port Scans are opposites::

Host Sweep keeps track of connections (events) to different destination IP's to the same destination port in a sliding time window.
TCP Port Scan keeps track of connections (events) to the same destination IP's to different destination ports in a sliding time window.

The Subnet192.168.0.0/24 is used as an example in this article. Please use the appropriate subnet in CIDR notation in your nmap commands.

Note:This article is written for informational purposes only. Palo Alto Networks does not support any third-party operating systems.