Firewall Wizards mailing list archives
Re: Netscreen firewall and portscans?
From: Raul Duke <raul_duke76 () hotmail com>
Date: Wed, 06 Feb 2002 09:08:02 -0800
In reality, the netscreen is principally a firewall VPN appliance and only has light IDS functionality and needs to be tuned accordingly. Out of the box their default settings are so low that even "normal" traffic may look like an attack. What sort of alarm were they getting, sounds like the syn-flood sensor may be set way too low... On 2/6/02 12:50 AM, "Pierre-Yves Bonnetain" <bonnetain () acm org> wrote:
Tracy R Reed wrote:graphics. My theory is that the IDS sees a flurry of packets going back to some system behind his firewall all at different port numbers in a short amount of time and flags it as a portscan regardless of whether SYN was set or not. Anyone else have experience or heard of such false alarms?Yes. I've had something similar with an overly sensitive ISS RealSecure. It was triggering alarms about _outgoing_ scans from one of our nets, when some people where surfing on small-images-heavy sites. Quite the same symptom as what you describe : a flurry of TCP connexions, an alarm-triggering level set far too low... and red lights all over the place. This has been solved by 'intelligently' bumping up the level above which the IDS triggers some alarms (for floods, scans and the like). It took some doing. We did not want to review all alarms one by one (time consuming), so each and every time we got 'too many' alerts we investigated to check if it was a false-positive and, if so, straightened it (not too much, though; just to avoid having red lights whenever someone goes surfing). Hth, -- Pierre-Yves Bonnetain Consultant Sécurité -- B&A Consultants Tél +33 (0) 563 277 241 -- Fax +33 (0) 563 277 245 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Netscreen firewall and portscans? Tracy R Reed (Feb 05)
- Re: Netscreen firewall and portscans? R. DuFresne (Feb 06)
- Re: Netscreen firewall and portscans? Pierre-Yves Bonnetain (Feb 06)
- Re: Netscreen firewall and portscans? Raul Duke (Feb 06)
- Re: Netscreen firewall and portscans? damiank (Feb 06)
- Re: Netscreen firewall and portscans? David Lang (Feb 06)
- Re: Netscreen firewall and portscans? Richard Johnson (Feb 07)
- <Possible follow-ups>
- RE: Netscreen firewall and portscans? Michael Walter (Feb 06)
- RE: Netscreen firewall and portscans? Christopher Lee (Feb 06)
- Re: Netscreen firewall and portscans? TDyson (Feb 06)
- Re: Netscreen firewall and portscans? Boni Bruno (Feb 06)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- RE: Netscreen firewall and portscans? Jason Lewis (Feb 07)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- Re: Netscreen firewall and portscans? Philip J. Koenig (Feb 07)