Hi all,
I’m running into something that I find quite surprising, and I’d like to understand if I’m missing something or if this is expected behavior.
How is it possible that a NIDS does not reliably alert on basic network scanning activity?
In my environment, if an unknown host launches something like:
-
Nmap (various scan types)
-
Nessus discovery scans
-
General port scanning / service enumeration
…the NIDS does not consistently generate alerts that clearly identify this as scanning activity.
Given that reconnaissance is one of the earliest phases of an attack, I would expect this to be a fundamental detection capability. However:
-
I don’t see clear signatures for generic port scanning
-
I don’t see consistent alerts for horizontal or vertical scans
-
Some related detections (e.g., DNS recon) exist, but not basic TCP/port scan visibility
This raises a simple (but important) question:
Isn’t detecting network scanning one of the most basic and essential use cases of a NIDS?
So I’d like to ask:
-
Are there built-in TIDE or IDS rules specifically designed to detect generic scanning (Nmap/Nessus-style)?
-
If so, how are they supposed to be triggered or identified?
-
If not, what is the recommended way to cover this detection gap?
-
Is this expected to be handled by another component (InsightIDR, UEBA, etc.) instead of the NIDS?
Right now, it feels like a gap in early-stage attack detection, which is where visibility is arguably most valuable.
Any insights would be appreciated.
Thanks.