Portscan Alerts from WAN, not showing in LAN
-
Title says most of it. I am running snort in a test lab with one client on the LAN before placing into HA environment and am getting alerts portscan alerts where my WAN IP is the source on the WAN interface alerts, but nothing is coming up on my LAN interface alerts.
Anyone know why this is or how to fix it?
Or if anyone knows why there are portscans being done by my IP that I am not doing? False positives? Portscans are something management likes to keep an eye on so I would not want to disable any portscan rules, but just want to make sure everything is working order.
-
The portscan preprocessor in Snort seems to have a "hair trigger", and in my opinion at least, it produces more than a few false positives. There are some tuning tweaks available on the PREPROCESSORS tab for a Snort interface. You can research what the settings do in the Snort documentation posted at snort.org. I have greatly dialed down the sensitivity settings on the portscan preprocessor on my home firewall. That has reduced the false positive rate for me.
One thing that may contribute to the high false-positive rate with Snort on pfSense is the method used to sniff incoming packets. Snort puts the interface into promiscuous mode. This means it's going to see everything, including stuff not really meant for that interface.
Bill