The first steps of a hacker are to discover the network. First, it will execute a portscan. This sensor can detect TCP portscans even if these ports are closed on your Honeypot.
A TCP connection exists of a handshake:
Client sends an SYN packet to Server
Server replies with an SYN + ACK packet
Client replies with an ACK packet
Session is established
After the session has been established, the application layer can send data. Your other Honeypot sensors can detect the connection after the session has been established.
Hackers will sometimes only execute the first step of a TCP handshake to prevent getting detected. However, this portscan sensor can detect the first step of a TCP handshake and thus the hacker.
Configuration
Detection method
The detection method determines when you'll receive detections. The Detect All TCP scans (including closed ports) option is selected by default. This detection method will notify you of all port scans, even if you don't have a sensor running on the scanned port.
Detect only configured TCP ports will give you the option to manually configure ports you would like to receive detections of when they get scanned.
Maximum session duration
The sensor groups port scans from a single source MAC address if they are executed within the configured amount of seconds after the latest port scan activity. This feature prevents you from getting spammed.
Exclude ports
The Portscan sensor is relatively sensitive. While the connections detected by the sensor are real traffic sent to your Honeypot, there may be background noise you want to ignore.
An example of background noise may be the Windows Update Delivery Optimization (WUDO) on port 7680 in local networks. Computers may contact each other to optimize the delivery of Windows Updates, which may trigger a portscan detection
It's already possible to whitelist a host, but you may want to ignore specific ports for the portscan sensor. Therefore, it's possible to add ports to the exclusion list. These ports won't generate a detection by the portscan sensor but will still generate a detection when another sensor detects increased activity.
Detection received
You've received a detection from your Portscan sensor. Do you expect the source IP to scan your network for open ports? Is it just a monitoring tool or a strange-behaving Domain Controller?
Access the source IP and check the connection logs to see which process opened the connections and executed a port scan. You can use tools like TCPView and Wireshark.