Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Netscreen firewall and portscans?

From: Pierre-Yves Bonnetain <bonnetain () acm org>
Date: Wed, 06 Feb 2002 09:50:30 +0100
Tracy R Reed wrote:


graphics. My theory is that the IDS sees a flurry of packets going back to
some system behind his firewall all at different port numbers in a short
amount of time and flags it as a portscan regardless of whether SYN was
set or not.

Anyone else have experience or heard of such false alarms?


   Yes. I've had something similar with an overly sensitive ISS
RealSecure. It
was triggering alarms about _outgoing_ scans from one of our nets,
when some
people where surfing on small-images-heavy sites. Quite the same
symptom as
what you describe : a flurry of TCP connexions, an alarm-triggering
level set
far too low... and red lights all over the place.
   This has been solved by 'intelligently' bumping up the level above
which
the IDS triggers some alarms (for floods, scans and the like). It took
some
doing. We did not want to review all alarms one by one (time
consuming), so
each and every time we got 'too many' alerts we investigated to check
if it
was a false-positive and, if so, straightened it (not too much,
though; just
to avoid having red lights whenever someone goes surfing).
   Hth,

-- Pierre-Yves Bonnetain
   Consultant Sécurité -- B&A Consultants
   Tél +33 (0) 563 277 241 -- Fax +33 (0) 563 277 245
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: