Imperva Cyber Community

Expand all | Collapse all

nmap and port scanning

Jump to Best Answer
  • 1.  nmap and port scanning

    Posted 20 days ago
    Hi,
    I'd like to know if is possible to block a port scanning with the WAF, if someone try to do an nmap on a closed port i'd like to see an alert on that.

    Regards
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Zuliani
    ------------------------------


  • 2.  RE: nmap and port scanning

    Imperva Employee
    Posted 12 days ago
    Hi @Francesco Zuliani,

    We don't have a policy blocking nmap out of the box,
    but you can create a custom policy to achieve the same result.
    Make sure you test it before moving to blocking to avoid false positives.
    Best,​

    ------------------------------
    Ira Miga
    Imperva
    Knowledge Engineer
    ------------------------------



  • 3.  RE: nmap and port scanning

    Posted 12 days ago
    Hi Ira,
    Thanks for your reply.
    my problem is that when I tried to create a policy, even a simple one, just based on source IP, if i tried a syn scan doesn't pop up any alert, otherwise, if I run some nmap scripts, making actual http request i see the alert.

    Regards,

    ------------------------------
    Zuliani
    ------------------------------



  • 4.  RE: nmap and port scanning
    Best Answer

    Posted 11 days ago
    Hi,

    Speaking from my own point of view, we expect a Web Application Firewall to protect against web service/application attacks. And it does its job, by letting you see the alert if you run scripts to emulate attacks by making actual HTTP request.

    My idea is, if you are looking for a tool which, in general, generates alert "if someone try to do an nmap on a closed port", it does not sounds like you are looking for a "WAF".


    Moreover, talking about Imperva On-premise WAF in bridge mode, for the protection to take effect you need to specify in advance the target server IPs and HTTP/S ports of which you would like to be protected by WAF gateway. That makes WAF focus on what it is designed to protect, that is, the ports you are providing web service to clients.

    While in KRP mode, if you have all your incoming traffic routed to WAF (e.g. by a firewall NAT rule to map a public IP to the WAF VIP), WAF will drop all incoming traffic at ports which you have not configured in the Sites tree. Those blind scans won't pass through WAF, but I believe there is no alert can be configured for the blind port scans too.

    Thanks.

    ------------------------------
    Louis Tsoi
    Technical Specialist
    Cyberforce Limited
    Kowloon
    ------------------------------



  • 5.  RE: nmap and port scanning

    Posted 10 days ago

    Hi Louis,
    Thanks for your reply ^^

    I completely agree with u, is surely not its job to do it...but, would be nice to have that feature ;)

    Thanks again



    ------------------------------
    Zuliani
    ------------------------------