Problem solve Get help with specific problems with your technologies, process and projects.

Determining false positives on a new IDS

I recently deployed a "pre-packaged" Snort intrusion-detection system that is reporting a very high number of port...

scan attacks.

What's interesting is that the attacks are all being generated from internal IP addresses to external ones. I'm certain that our staffers aren't running port scanners. Any idea what could be causing these false positives and how to eliminate them? (I know that the Portscan2 Preprocessor is generating these reports.)

Here's some info:

ID #450-(1-27365)
< Signature > (spp_portscan2) Portscan detected from 8 targets 8 ports in 11 seconds 2004-08-10 09:46:08
< SourceAddress >
< Dest.Address >
< Layer 4Proto > TCP

You could have machines with Trojans running on them, but I think I have a better explanation, based on the snippet you provided.

The :80 at the end of the destination address indicates port 80 of TCP, which is typically used for http (Web browsing). Going to shows that to be from DoubleClick advertising. So what is probably happening is that many users are viewing Web pages that are full of advertising. Thus, there are many calls to those sites, as the advertisers include those links in order to track who sees them. This can even happen with HTML-based e-mail, outside of an actual browser. One of the benefits of the new XP SP2 firewall is that by default, the images in HTML e-mail (using Outlook Express at least, I haven't tried others) are blocked by default to prevent this type of thing.

I would certainly go through your logs to verify that this is what is happening and not something more malicious. If I'm right, then you need to develop a rule to filter this type of false positive. Perhaps you don't want to capture connections to port 80, though that could miss other things.

For more information on this topic, visit these SearchSecurity.com resources:
  • Need a good rule to filter out false positives? Ask your security peers on ITKnowledge Exchange.
  • Modify and write your own custom Snort rules with this tip.
  • Learn about the best place to put your IDS sensor.
  • Find out what security improvements XP SP2 has to offer.
  • This was last published in October 2004

    Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.