Port scan detection software generally must set two thresholds in order to catch a port scan: the number of ports probed and the time interval. An attacker can attempt to slip beneath these thresholds by either reducing the number of scanned ports or slowing down the scan. The ENABLE_PERSISTENCE variable instructs psad not to use the SCAN_TIMEOUT variable as a factor in scan detection. This is useful to thwart attempts by a scanner to slip beneath the timeout threshold by slowly scanning a target system over days or weeks. As soon as a scan involves at least the number of packets defined by the DANGER_LEVEL1 variable (regardless of how long the scan takes to send this number of packets), an alert is sent by psad.
Was this article helpful?