Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort - portscan/Portsweep from WAN interface suddenly

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dgcom
      last edited by

      Hi!

      Last night after automatically getting latest updates and snort reloading I new alerts from WAN interface started filling logs with portscan triggers where source is my IP and destination - many regular sites (Google, Facebook…).

      I added gen_id 122, sig_id 3/7/23/26 to suppress list for now, but would like to know what might have happened suddenly?
      Shouldn't snort pre-processor ignore alerts if source is my WAN but actually originates from LAN?
      My IP did not change...
      Can something in new rules break it?

      I do not want ignore incoming portscans, but I do not care if is outbound - how avoid snort blocking this?

      DG

      1 Reply Last reply Reply Quote 0
      • V
        vbentley
        last edited by

        What if you have a compromised host in your network that is port scanning as a precursor to propagating malware? Not interested in that?

        Trademark Attribution and Credit
        pfSense® and pfSense Certified® are registered trademarks of Electric Sheep Fencing, LLC in the United States and other countries.

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          You can also adjust the sensitivity of the port scanner pre-processor and also add exclusions.

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • D
            dgcom
            last edited by

            @vbentley:

            What if you have a compromised host in your network that is port scanning as a precursor to propagating malware? Not interested in that?

            For that, I have Snort configured on internal interface as well. I think, there was something wrong with Snort rules update that day.

            DG

            1 Reply Last reply Reply Quote 0
            • R
              rebytr
              last edited by

              I'm seeing the same thing. I just noticed it today, but not sure how long it's been occuring.  I was running Snort rules from Jun 1st and EMThreat rules from Jun 2nd and still seeing problems.  Snort is blocking facebook, google, bing and others.  I forced an update and both rulesets are now dated Jun 2.  We'll see if that fixes it.

              I've always had my portscan sensitivity set to "low" and haven't changed anything with my Snort setup for months.  So hoping it was just a bad batch of rules.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.