GBX-SEC provide insight into potential instances of network and port scanning by analyzing commonly used protocols and behavior patterns. The reachability and service scans that this bundle attempts to find can be indicative of an upcoming, more targeted network attack, so the early warning is accentual and these metrics provided can help you find problems before they become critical.
In terms of reachability (host discovery) scans, the bundle monitors ARP packets on the local subnet for devices sending out excessive amounts of ARP requests, as well as several types of ICMP probe packets. Similarly, the bundle tracks metrics related to TCP connect, SYN, NULL, FIN, and port scans, as well as UDP port scans.
In addition to detecting typical scan patterns of high numbers of suspicious packets over short periods of time, including triggers to detect slower reachability and service port scans that are spread out of longer periods. The detection thresholds for each type of scan can be configured in the corresponding triggers appropriate for your network.