Re: Netscreen firewall and portscans?

["R. DuFresne" <dufresne () sysinfo com>]

The care and feeding of an IDS is a very overlooked issue with many sites
that enable them, and most place these beasts on the external side and
leave default settings in place such that they tend to be worthless alarms
that wake their admins in the wee morning hours with meaningless crap for
sure.  It's been an area of discussion on this list, and not too long ago.

Folks issuing complaints without supplying logs and timestamps of the
suspected intrusions should in most cases just be sent to /dev/null.
Often these are coming from sites that outsource their peimiter access to
an MSSP with undertrained and unskilled staff lacking the ability to tame
those IDS beasts they manage, let alone safely manage the rulebases for
the fw-1 systems they are maintaining for their clients.  The main point
is thugh, how can you be expected to investigate such an issue without
some documented logging information to campare with your systems logs and
their associated timestamps?

Thanks,

Ron DuFresne

On Tue, 5 Feb 2002, Tracy R Reed wrote:

> I keep getting emails from people saying we are port scanning their
> system. Averaging one a day but it varies. We have checked and double
> checked just to make sure we aren't owned and we definitely are not. The
> alleged scans are coming from virtual interfaces on our BigIP F5 load
> balancing systems.
>
> The reports are almost always without logs and what logs there are don't
> provide any info about the packet, whether it was a SYN, what the payload
> was, etc. Just that it was a TCP packet from our machine to their
> firewall. I finally replied to one of the reports and asked what software
> he was using and he said he uses the Netscreen (www.netscreen.com) IDS. I
> suggested that it wasn't a port scan at all but I couldn't be sure unless
> I know what flags were on the packets and what the size and payload of the
> packet was. The user avoided anything to do with the technical aspects of
> TCP such as flags on packets etc. I suspect he has no clue what I am
> talking about. His position is that the IDS said we were portscanning so
> goshdarnit we must be portscanning his machine! I have a feeling that a
> lot of these reports come from people in similar positions.
>
> I think it's just lame IDS systems out there (possibly all Netscreen
> systems) giving false alarms. We have some webpages with lots of small
> graphics. My theory is that the IDS sees a flurry of packets going back to
> some system behind his firewall all at different port numbers in a short
> amount of time and flags it as a portscan regardless of whether SYN was
> set or not.
>
> Anyone else have experience or heard of such false alarms?
>
> It is really annoying getting reports of portscans all the time because if
> we do someday get owned and someone scans we might ignore the report.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards