Port Scanning Detection in Logs

AttackPatterns Firewall / Network Reconnaissance / Port Scanning

What This Means

Detect port scanning activity in firewall and network logs. Identify reconnaissance attempts, service enumeration, and pre-attack probing targeting your infrastructure.

Example Log

-- Firewall log showing SYN scan pattern:
Mar  8 14:22:01 fw01 kernel: DROP IN=eth0 SRC=198.51.100.88 DST=10.0.1.50 PROTO=TCP SPT=45231 DPT=22 SYN
Mar  8 14:22:01 fw01 kernel: DROP IN=eth0 SRC=198.51.100.88 DST=10.0.1.50 PROTO=TCP SPT=45232 DPT=23 SYN
Mar  8 14:22:01 fw01 kernel: DROP IN=eth0 SRC=198.51.100.88 DST=10.0.1.50 PROTO=TCP SPT=45233 DPT=25 SYN
Mar  8 14:22:02 fw01 kernel: DROP IN=eth0 SRC=198.51.100.88 DST=10.0.1.50 PROTO=TCP SPT=45234 DPT=80 SYN
Mar  8 14:22:02 fw01 kernel: DROP IN=eth0 SRC=198.51.100.88 DST=10.0.1.50 PROTO=TCP SPT=45235 DPT=443 SYN
Mar  8 14:22:02 fw01 kernel: DROP IN=eth0 SRC=198.51.100.88 DST=10.0.1.50 PROTO=TCP SPT=45236 DPT=3389 SYN

Indicators of Suspicious Activity

Sequential connection attempts to many different ports from a single source IP
SYN packets to closed ports generating RST responses or firewall drops
Connection attempts to well-known service ports (22, 23, 25, 80, 443, 3389, 1433, 3306)
Scanning pattern completing in seconds (nmap default scan speed)
Source IP attempting to connect to multiple destination IPs on the same port (horizontal scan)
Half-open connections (SYN without completing handshake) indicating stealth scanning

How to Investigate

Aggregate firewall deny logs by source IP and count unique destination ports
Classify the scan type: vertical (many ports, one host), horizontal (one port, many hosts), or block (many ports, many hosts)
Check the scan timing — fast scans suggest nmap, slow scans suggest evasion attempts
Correlate the scanning IP with subsequent exploit attempts or brute force activity
Verify the source IP against threat intelligence databases
Check if any scanned ports were actually open (connection accepted logs)

Recommended Mitigations

Configure firewall to drop (not reject) packets to closed ports to slow scanners
Implement IDS/IPS rules to detect and alert on port scanning patterns
Rate limit new connections per source IP at the firewall
Deploy network segmentation to limit the scope of internal scans
Use port knocking or SPA (Single Packet Authorization) for sensitive services
Block the scanning IP immediately and monitor for follow-up attacks

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 7 + 5?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

Is port scanning illegal? ▼

Laws vary by jurisdiction. Unauthorized port scanning of systems you do not own is illegal in many countries under computer misuse laws. Even where legal gray areas exist, port scanning is a strong indicator of malicious intent when combined with other activity.

How do I detect stealthy port scans? ▼

Stealth scans use techniques like SYN scanning (half-open), FIN scanning, and slow timing. Detect them by monitoring for connection attempts to multiple closed ports, incomplete TCP handshakes, and unusual TCP flag combinations.

What should I do when I detect a port scan? ▼

Block the source IP, check if any services were discovered (open ports in your logs), investigate for follow-up attacks from the same IP, and report to the IP abuse contact.