I recently deployed a "pre-packaged" Snort intrusion-detection system that is reporting a very high number of port scan attacks.
What's interesting is that the attacks are all being generated from internal IP addresses to external ones. I'm certain that our staffers aren't running port scanners. Any idea what could be causing these false positives and how to eliminate them? (I know that the Portscan2 Preprocessor is generating these reports.)
Here's some info:
< Signature > (spp_portscan2) Portscan detected from 10.2.4.11: 8 targets 8 ports in 11 seconds 2004-08-10 09:46:08
< SourceAddress > 10.2.4.11:1497
< Dest.Address > 22.214.171.124:80
< Layer 4Proto > TCP
You could have machines with Trojans running on them, but I think I have a better explanation, based on the snippet you provided.
The :80 at the end of the destination address indicates port 80 of TCP, which is typically used for http (Web browsing). Going to http://126.96.36.199 shows that to be from DoubleClick advertising. So what is probably happening is that many users are viewing Web pages that are full of advertising. Thus, there are many calls to those sites, as the advertisers include those links in order to track who sees them. This can even happen with HTML-based e-mail, outside of an actual browser. One of the benefits of the new XP SP2 firewall is that by default, the images in HTML e-mail (using Outlook Express at least, I haven't tried others) are blocked by default to prevent this type of thing.
I would certainly go through your logs to verify that this is what is happening and not something more malicious. If I'm right, then you need to develop a rule to filter this type of false positive. Perhaps you don't want to capture connections to port 80, though that could miss other things.
For more information on this topic, visit these SearchSecurity.com resources:
This was first published in October 2004