Re: Netscreen firewall and portscans?

["Boni Bruno" <bbruno () dsw net>]

Netscreen itself is primarily a firewall with some Firewall Protection
settings and a nice malicious URL detection feature, but in no way is
it an advanced intrusion detection system.  The firewall protection
features are as follows:

Detect SYN Attacks, ICMP Flood, UDP Flood, Ping of Death, WinNuke, 
Detect Port Scan, Land Attack, TearDrop, Source Route Packets, 
Detect Address Sweep Attacks, and IP Spoofing.

The SYN Attacks, ICMP & UDP Flood have configurable threshold which if
set to low can produce false positives.  This may be the problem with
the client trying to contact you.  However, they have to produce a log
to merit any attention....

The Port Scan Detection feature is only triggered if a given source
address attempts quick connections to multiple ports on the destination
network the firewall is protecting.  This is not a common characteristic
for any web server, even if its behind BIGIP.  

I have seen some load balances utilizing virtual IPs trigger SYN
attacks due to not acknowledging SYN packets correctly, but never
triggering a PORT SCAN attack.  I suspect the remote Netscreen firewall
may be complaining about a SYN attack rather than a Port Scan.  Again,
without a log, the end user can not be taken seriously. 

Regards,

-boni bruno


> Date: Tue, 5 Feb 2002 14:51:08 -0800
> From: Tracy R Reed <treed () ultraviolet org>
> To: firewall-wizards () nfr com
> Subject: [fw-wiz] Netscreen firewall and portscans?
>
> --hOcCNbCCxyk/YU74
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
>
> I keep getting emails from people saying we are port scanning their
> system. Averaging one a day but it varies. We have checked and double
> checked just to make sure we aren't owned and we definitely are not. The
> alleged scans are coming from virtual interfaces on our BigIP F5 load
> balancing systems.
>
> The reports are almost always without logs and what logs there are don't
> provide any info about the packet, whether it was a SYN, what the payload
> was, etc. Just that it was a TCP packet from our machine to their
> firewall. I finally replied to one of the reports and asked what software
> he was using and he said he uses the Netscreen (www.netscreen.com) IDS. I
> suggested that it wasn't a port scan at all but I couldn't be sure unless
> I know what flags were on the packets and what the size and payload of the
> packet was. The user avoided anything to do with the technical aspects of
> TCP such as flags on packets etc. I suspect he has no clue what I am
> talking about. His position is that the IDS said we were portscanning so
> goshdarnit we must be portscanning his machine! I have a feeling that a
> lot of these reports come from people in similar positions.
>
> I think it's just lame IDS systems out there (possibly all Netscreen
> systems) giving false alarms. We have some webpages with lots of small
> graphics. My theory is that the IDS sees a flurry of packets going back to
> some system behind his firewall all at different port numbers in a short
> amount of time and flags it as a portscan regardless of whether SYN was
> set or not.
>
> Anyone else have experience or heard of such false alarms?
>
> It is really annoying getting reports of portscans all the time because if
> we do someday get owned and someone scans we might ignore the report.
>
> --=20
> Tracy Reed      http://www.ultraviolet.org
> "She moves in mysterious ways"
>
> --hOcCNbCCxyk/YU74
> Content-Type: application/pgp-signature
> Content-Disposition: inline
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.1 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iEYEARECAAYFAjxgYdsACgkQ9PIYKZYVAq1xewCeNptI/lagzF/SMRZkuO2NGX1g
> obwAn1GAz6gSv44w7Lhk1v+xWcHWk0rG
> =nidA
> -----END PGP SIGNATURE-----
>
> --hOcCNbCCxyk/YU74--
>
> --__--__--
>
> Message: 3
> Date: Wed, 6 Feb 2002 01:54:19 -0500 (EST)
> From: "R. DuFresne" <dufresne () sysinfo com>
> To: Tracy R Reed <treed () ultraviolet org>
> Cc: firewall-wizards () nfr com
> Subject: Re: [fw-wiz] Netscreen firewall and portscans?
> Organization: sysinfo.com
>
> The care and feeding of an IDS is a very overlooked issue with many sites
> that enable them, and most place these beasts on the external side and
> leave default settings in place such that they tend to be worthless alarms
> that wake their admins in the wee morning hours with meaningless crap for
> sure.  It's been an area of discussion on this list, and not too long ago.
>
> Folks issuing complaints without supplying logs and timestamps of the
> suspected intrusions should in most cases just be sent to /dev/null.
> Often these are coming from sites that outsource their peimiter access to
> an MSSP with undertrained and unskilled staff lacking the ability to tame
> those IDS beasts they manage, let alone safely manage the rulebases for
> the fw-1 systems they are maintaining for their clients.  The main point
> is thugh, how can you be expected to investigate such an issue without
> some documented logging information to campare with your systems logs and
> their associated timestamps?
>
> Thanks,
>
> Ron DuFresne
>
> On Tue, 5 Feb 2002, Tracy R Reed wrote:
>
> > I keep getting emails from people saying we are port scanning their
> > system. Averaging one a day but it varies. We have checked and double
> > checked just to make sure we aren't owned and we definitely are not. The
> > alleged scans are coming from virtual interfaces on our BigIP F5 load
> > balancing systems.
> >
> > The reports are almost always without logs and what logs there are don't
> > provide any info about the packet, whether it was a SYN, what the payload
> > was, etc. Just that it was a TCP packet from our machine to their
> > firewall. I finally replied to one of the reports and asked what software
> > he was using and he said he uses the Netscreen (www.netscreen.com) IDS. I
> > suggested that it wasn't a port scan at all but I couldn't be sure unless
> > I know what flags were on the packets and what the size and payload of the
> > packet was. The user avoided anything to do with the technical aspects of
> > TCP such as flags on packets etc. I suspect he has no clue what I am
> > talking about. His position is that the IDS said we were portscanning so
> > goshdarnit we must be portscanning his machine! I have a feeling that a
> > lot of these reports come from people in similar positions.
> >
> > I think it's just lame IDS systems out there (possibly all Netscreen
> > systems) giving false alarms. We have some webpages with lots of small
> > graphics. My theory is that the IDS sees a flurry of packets going back to
> > some system behind his firewall all at different port numbers in a short
> > amount of time and flags it as a portscan regardless of whether SYN was
> > set or not.
> >
> > Anyone else have experience or heard of such false alarms?
> >
> > It is really annoying getting reports of portscans all the time because if
> > we do someday get owned and someone scans we might ignore the report.
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
>
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation."
>                 -- Johnny Hart
>
> testing, only testing, and damn good at it too!
>
> --__--__--
>
> Message: 4
> Date: Wed, 06 Feb 2002 09:24:32 +0100
> From: Pierre-Yves Bonnetain <bonnetain () acm org>
> Reply-To: bonnetain () acm org
> Organization: B&A Consultants
> To: firewall-wizards () nfr com
> Subject: [fw-wiz] URL filtering
>
>    Hello,
>
>    I am currently setting up a reverse proxy to protect some web
> servers.
> Proxy is based on Apache/mod_proxy/mod_rewrite. I want to do URL
> filtering
> _and_ script args filtering too.
>    URL filtering seems no big deal with mod_rewrite, just a matter to
> get the
> proper list and regular expressions and put them into mod_rewrite
> syntax.
>    But as script args is concerned... it's another matter (or I
> haven't
> understood all the doc :-). Has anyone of you done stg similar ? Do
> you have
> any pointer where I may find more data ?
>    Thanks,
>    Cheers,
>
> -- Pierre-Yves Bonnetain
>    Consultant Sécurité -- B&A Consultants
>    Tél +33 (0) 563 277 241 -- Fax +33 (0) 563 277 245
>
> --__--__--
>
> Message: 5
> Date: Wed, 06 Feb 2002 09:50:30 +0100
> From: Pierre-Yves Bonnetain <bonnetain () acm org>
> Reply-To: bonnetain () acm org
> Organization: B&A Consultants
> To: Tracy R Reed <treed () ultraviolet org>
> Cc: firewall-wizards () nfr com
> Subject: Re: [fw-wiz] Netscreen firewall and portscans?
>
> Tracy R Reed wrote:
> > graphics. My theory is that the IDS sees a flurry of packets going back to
> > some system behind his firewall all at different port numbers in a short
> > amount of time and flags it as a portscan regardless of whether SYN was
> > set or not.
> >
> > Anyone else have experience or heard of such false alarms?
>    Yes. I've had something similar with an overly sensitive ISS
> RealSecure. It
> was triggering alarms about _outgoing_ scans from one of our nets,
> when some
> people where surfing on small-images-heavy sites. Quite the same
> symptom as
> what you describe : a flurry of TCP connexions, an alarm-triggering
> level set
> far too low... and red lights all over the place.
>    This has been solved by 'intelligently' bumping up the level above
> which
> the IDS triggers some alarms (for floods, scans and the like). It took
> some
> doing. We did not want to review all alarms one by one (time
> consuming), so
> each and every time we got 'too many' alerts we investigated to check
> if it
> was a false-positive and, if so, straightened it (not too much,
> though; just
> to avoid having red lights whenever someone goes surfing).
>    Hth,
>
> -- Pierre-Yves Bonnetain
>    Consultant Sécurité -- B&A Consultants
>    Tél +33 (0) 563 277 241 -- Fax +33 (0) 563 277 245
>
> --__--__--
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards
>
> End of firewall-wizards Digest
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards