Strange snort's portscan detection
-
Hi,
I'm running PFSENSE 2.2-RELEASE amd64 in our network and having strange issue with snort and portscan detection.
My network diagram is as below:
Snort package was installed and enabled on all interfaces in PFS1, and only its WAN interface was enabled "Block Offenders". After upgraded to 2.2, I enabled Portscan Detection on WAN interface with default settings. And then snort alerts of WAN have many entries where clients from 10.10.0.0 network access servers inside 10.0.0.0 network, reason:
(portscan) UDP Filtered Portsweep - 01/28/15-15:33:50
ET POLICY DNS Update From External net - 08/30/14-08:47:03
(ftp_telnet) FTP response message was too long - 11/08/14-10:46:10
GPL SHELLCODE x86 0x90 unicode NOOP - 11/03/14-14:05:11
ET POLICY Java Url Lib User Agent Web Crawl - 01/21/15-15:46:05Okay, our company is using VERY old softwares (JAVA, jBoss, etc.), but I wonder why these alerts of internal networks appear on WAN interface? PFS1 has static route to 10.0.0.0/20 with R0 is gateway, and OPT1 interface also has static route.
Without "portscan detection", PFSENSE won't fire these alerts.
-
Snort puts the interface in promiscuous mode so it's seeing any traffic on the selected interface.