# rstscan **Explanation** rstscan is a detection model that identifies RST scanning activity on the network. RST scanning is a technique used by attackers to probe for open ports on a target system. This activity involves sending a TCP RST (reset) packet to a range of IP addresses and ports to determine which are closed or filtered. **What to Look For** To examine the results of the rstscan event, look for unusually high numbers of TCP RST packets being sent from a single IP address to a range of IP addresses and ports. This may indicate that an attacker is attempting to identify vulnerable systems on your network. Check your firewall logs for any unusual patterns of RST packets. On the endpoint, look for evidence of scanning activity, such as installed network scanning tools or open ports on your system that you are not aware of. Close any unnecessary ports and remove any unauthorized software to mitigate the risk of a successful attack. **Related MITRE ATT\&CK Categories** [Discovery: Network Service Discovery, Technique T1046 - Enterprise](https://attack.mitre.org/techniques/T1046) [Reconnaissance: Active Scanning, Technique T1595 - Enterprise](https://attack.mitre.org/techniques/T1595) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/rstscan.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.