Strange snort's portscan detection

A999

Hi,

I'm running PFSENSE 2.2-RELEASE amd64 in our network and having strange issue with snort and portscan detection.

My network diagram is as below:

Snort package was installed and enabled on all interfaces in PFS1, and only its WAN interface was enabled "Block Offenders". After upgraded to 2.2, I enabled Portscan Detection on WAN interface with default settings. And then snort alerts of WAN have many entries where clients from 10.10.0.0 network access servers inside 10.0.0.0 network, reason:

(portscan) UDP Filtered Portsweep - 01/28/15-15:33:50
ET POLICY DNS Update From External net - 08/30/14-08:47:03
(ftp_telnet) FTP response message was too long - 11/08/14-10:46:10
GPL SHELLCODE x86 0x90 unicode NOOP - 11/03/14-14:05:11
ET POLICY Java Url Lib User Agent Web Crawl - 01/21/15-15:46:05

Okay, our company is using VERY old softwares (JAVA, jBoss, etc.), but I wonder why these alerts of internal networks appear on WAN interface? PFS1 has static route to 10.0.0.0/20 with R0 is gateway, and OPT1 interface also has static route.

Without "portscan detection", PFSENSE won't fire these alerts.

BBcan177

Snort puts the interface in promiscuous mode so it's seeing any traffic on the selected interface.