The first steps of a hacker are to discover the network. First, it will execute a portscan. This sensor can detect TCP portscans even if these ports are closed on your Honeypot.

A TCP connection exists of a handshake:

After the session has been established, the application layer can send data. Your other Honeypot sensors can detect the connection after the session has been established.

Hackers will sometimes only execute the first step of a TCP handshake to prevent getting detected. However, this portscan sensor can detect the first step of a TCP handshake and thus the hacker.

The detection method determines when you'll receive detections. The Detect All TCP scans (including closed ports) option is selected by default. This detection method will notify you of all port scans, even if you don't have a sensor running on the scanned port.

Detect only configured TCP ports will give you the option to manually configure ports you would like to receive detections of when they get scanned.

The sensor groups port scans from a single source MAC address if they are executed within the configured amount of seconds after the latest port scan activity. This feature prevents you from getting spammed.

The Portscan sensor is relatively sensitive. While the connections detected by the sensor are real traffic sent to your Honeypot, there may be background noise you want to ignore.

An example of background noise may be the Windows Update Delivery Optimization (WUDO) on port 7680 in local networks. Computers may contact each other to optimize the delivery of Windows Updates, which may trigger a portscan detection

It's already possible to whitelist a host, but you may want to ignore specific ports for the portscan sensor. Therefore, it's possible to add ports to the exclusion list. These ports won't generate a detection by the portscan sensor but will still generate a detection when another sensor detects increased activity.

You've received a detection from your Portscan sensor. Do you expect the source IP to scan your network for open ports? Is it just a monitoring tool or a strange-behaving Domain Controller?

Access the source IP and check the connection logs to see which process opened the connections and executed a port scan. You can use tools like TCPView and Wireshark.