Firewall Wizards mailing list archives
Re: Netscreen firewall and portscans?
From: Pierre-Yves Bonnetain <bonnetain () acm org>
Date: Wed, 06 Feb 2002 09:50:30 +0100
Tracy R Reed wrote:
graphics. My theory is that the IDS sees a flurry of packets going back to some system behind his firewall all at different port numbers in a short amount of time and flags it as a portscan regardless of whether SYN was set or not. Anyone else have experience or heard of such false alarms?
Yes. I've had something similar with an overly sensitive ISS RealSecure. It was triggering alarms about _outgoing_ scans from one of our nets, when some people where surfing on small-images-heavy sites. Quite the same symptom as what you describe : a flurry of TCP connexions, an alarm-triggering level set far too low... and red lights all over the place. This has been solved by 'intelligently' bumping up the level above which the IDS triggers some alarms (for floods, scans and the like). It took some doing. We did not want to review all alarms one by one (time consuming), so each and every time we got 'too many' alerts we investigated to check if it was a false-positive and, if so, straightened it (not too much, though; just to avoid having red lights whenever someone goes surfing). Hth, -- Pierre-Yves Bonnetain Consultant Sécurité -- B&A Consultants Tél +33 (0) 563 277 241 -- Fax +33 (0) 563 277 245 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Netscreen firewall and portscans? Tracy R Reed (Feb 05)
- Re: Netscreen firewall and portscans? R. DuFresne (Feb 06)
- Re: Netscreen firewall and portscans? Pierre-Yves Bonnetain (Feb 06)
- Re: Netscreen firewall and portscans? Raul Duke (Feb 06)
- Re: Netscreen firewall and portscans? damiank (Feb 06)
- Re: Netscreen firewall and portscans? David Lang (Feb 06)
- Re: Netscreen firewall and portscans? Richard Johnson (Feb 07)
- <Possible follow-ups>
- RE: Netscreen firewall and portscans? Michael Walter (Feb 06)
- RE: Netscreen firewall and portscans? Christopher Lee (Feb 06)
- Re: Netscreen firewall and portscans? TDyson (Feb 06)
- Re: Netscreen firewall and portscans? Boni Bruno (Feb 06)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- RE: Netscreen firewall and portscans? Jason Lewis (Feb 07)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
(Thread continues...)