Re: Netscreen firewall and portscans?

[TDyson () sybex com]

Yeah.  Netscreens are a paranoid.  Any traffic from a single source that
uses a sequence of return ports, like HTTP 1.0 with a page with lots of
elements as you mentioned,  will cause Netscreen to cry "Wolf!".  I have a
canned e-mail I send back to the admins.  It's always cool when I can say,
"Let me guess.  You have a Netscreen Firewall."  Makes me look psychic.

In our case the traffic always comes from one of our virtual IP addresses,
so I know it is all response traffic.

Thom Dyson
Director of Information Services
Sybex, Inc.

On 2/5/02 2:51:08 PM, Tracy R Reed <treed () ultraviolet org> wrote:
> I think it's just lame IDS systems out there (possibly all Netscreen
> systems) giving false alarms. We have some webpages with lots of small
> graphics. My theory is that the IDS sees a flurry of packets going back
to
> some system behind his firewall all at different port numbers in a short
> amount of time and flags it as a portscan regardless of whether SYN was
> set or not.
>
> Anyone else have experience or heard of such false alarms?
>
> It is really annoying getting reports of portscans all the time because
if
> we do someday get owned and someone scans we might ignore the report.
>
> --
> Tracy Reed      http://www.ultraviolet.org
> "She moves in mysterious ways"

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards