Skip to content

Port Scan Detection Enterprise

The port scan plugin detects when a remote host performs a port scan on the Trapster, a pattern typical of network reconnaissance and automated scanners.

Unlike a single connection to one emulated service, port scanning is an early-stage signal: someone is mapping what the host exposes before attempting logins or lateral movement.

Configuration

  1. Open Trapsters and select a device
  2. Go to the Settings tab
  3. Enable Port scan detection under Plugins

VM deployments only

Port scan detection requires a VM deployment (Proxmox, VMware, Hyper-V, KVM). It is not available on Docker or Kubernetes. See Trapsters: deployment constraints.

What gets captured

SignalMeaning
Port scan detectedOne source IP touched multiple ports on this Trapster within the detection window

Incidents appear on the Incidents page with a description such as "Port scan detected". Severity is typically High.

The Threat Graph can show port scan activity as part of a multi-step attack path against the same Trapster.

Reduce false positives

Legitimate tools (Nessus, Qualys, internal asset discovery) may trigger port scan incidents.

Add scanner IPs to Whitelist IPs on the Trapster Settings tab. Whitelisted sources do not generate incidents.

Place Trapsters in segments where broad scanning is expected only if you whitelist those scanners first, or accept higher noise on that node.