The intrusion detection system tries to detect port scans, to report them, and to react to the attack. This is similar to detecting a SYN flood attack (see SYN flooding): A count is kept of the number of "half-open" connections, whereby a TCP reset sent by the scanned computer leaves a "half-open" connection open again.
Once a certain number of half-open connections exists between the scanned and the scanned computer, this is reported as a port scan.
Similarly, the reception of empty UDP packets is interpreted as an attempted port scan.
