Q

Determining false positives on a new IDS

I recently deployed a "pre-packaged" Snort intrusion-detection system that is reporting a very high number of port scan attacks.

What's interesting is that the attacks are all being generated from internal IP addresses to external ones. I'm certain that our staffers aren't running port scanners. Any idea what could be causing these false positives and how to eliminate them? (I know that the Portscan2 Preprocessor is generating these reports.)

Here's some info:

ID #450-(1-27365)
< Signature > (spp_portscan2) Portscan detected from 10.2.4.11: 8 targets 8 ports in 11 seconds 2004-08-10 09:46:08
< SourceAddress > 10.2.4.11:1497
< Dest.Address > 216.73.85.29:80
< Layer 4Proto > TCP

You could have machines with Trojans running on them, but I think I have a better explanation, based on the snippet you provided.

The :80 at the end of the destination address indicates port 80 of TCP, which is typically used for http (Web browsing). Going to http://216.73.85.29 shows that to be from DoubleClick advertising. So what is probably happening is that many users are viewing Web pages that are full of advertising. Thus, there are many calls to those sites, as the advertisers include those links in order to track who sees them. This can even happen with HTML-based e-mail, outside of an actual browser. One of the benefits of the new XP SP2 firewall is that by default, the images in HTML e-mail (using Outlook Express at least, I haven't tried others) are blocked by default to prevent this type of thing.

I would certainly go through your logs to verify that this is what is happening and not something more malicious. If I'm right, then you need to develop a rule to filter this type of false positive. Perhaps you don't want to capture connections to port 80, though that could miss other things.


For more information on this topic, visit these SearchSecurity.com resources:
  • Need a good rule to filter out false positives? Ask your security peers on ITKnowledge Exchange.
  • Modify and write your own custom Snort rules with this tip.
  • Learn about the best place to put your IDS sensor.
  • Find out what security improvements XP SP2 has to offer.
  • This was first published in October 2004

    Dig deeper on Network Intrusion Prevention (IPS)

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close