Regular, predictable communication between hosts

Rapid, repetitive connection attempts to multiple ports

Low to moderate

Very high within a short time

Access to specific service ports (80, 22, 443)

Sequential or random scanning of many ports

Normal TCP handshake (SYN → SYN-ACK → ACK)

Excessive SYN packets without completing handshake

Spread over time

Burst traffic in milliseconds

Communicates with limited destination ports

Same source IP targets many ports

❌ No alert generated

✅ Alert triggered

None

“TCP SYN Scan Detected”, “Possible Port Scan”

N/A

Priority: 0 (Suspicious / Malicious)

Browser, SSH client

Nmap, Masscan

Legitimate usage

Reconnaissance phase of an attack

TCP SYN Scan

Possible Port Scan