Commercial vulnerability scanner

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detects when a commercial vulnerability scanner is performing a scan against your services.

Strategy

The detection rule leverages fingerprints from known security companies to identify activity as a commercial scanner.

The signal is set to LOW severity as the occurrence of spoofing commercial vulnerability scanners is rare, but possible. Detection results from authorized vulnerability scans are typically shared with the customer directly from the vendor or vulnerability management team.

Triage and response

Validate that the commercial vulnerability scanner is authorized to scan your systems and the scans are originating from an expected source IP address. Many commercial scans originate from a source IP address published by the vendor.

If the scan is not authorized:

  1. Block the attacking IP(s) temporarily to limit vulnerability discovery and service load.
  2. If the scans are originating from a vendor published source IP address, reach out to the vendor to determine the cause of the scan.
PREVIEWING: esther/docs-9478-fix-split-after-example